Skip to content

Commit

Permalink
Merge pull request #17 from RedHatProductSecurity/add-release-time-rp…
Browse files Browse the repository at this point in the history
…m-sbom-examples

Add examples of release-time RPM SBOMs
  • Loading branch information
mprpic authored Aug 19, 2024
2 parents abb232c + d2e256c commit 63b08a7
Show file tree
Hide file tree
Showing 15 changed files with 34,944 additions and 7 deletions.
1 change: 1 addition & 0 deletions requirements/dev-requirements.in
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
black
check-jsonschema
packageurl-python
ruff
4 changes: 4 additions & 0 deletions requirements/dev-requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,10 @@ mypy-extensions==1.0.0 \
--hash=sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d \
--hash=sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782
# via black
packageurl-python==0.15.6 \
--hash=sha256:a40210652c89022772a6c8340d6066f7d5dc67132141e5284a4db7a27d0a8ab0 \
--hash=sha256:cbc89afd15d5f4d05db4f1b61297e5b97a43f61f28799f6d282aff467ed2ee96
# via -r requirements/dev-requirements.in
packaging==24.1 \
--hash=sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002 \
--hash=sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124
Expand Down
66 changes: 63 additions & 3 deletions sbom/examples/product/rhel-9.2-eus.spdx.json
Original file line number Diff line number Diff line change
Expand Up @@ -38,17 +38,77 @@
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-rpms"
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-eus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-rpms"
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-eus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-rpms"
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-eus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-eus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-aus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-aus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-aus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-aus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-e4s-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-e4s-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-e4s-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-e4s-source-rpms"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-source-rpms"
}
],
"checksums": [
Expand Down
File renamed without changes.
File renamed without changes.
5 changes: 5 additions & 0 deletions sbom/examples/rpm/build/regenerate.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/usr/bin/env bash

for example in *.json; do
python3 from-koji.py "$@" "${example%.spdx.json}"
done
4 changes: 0 additions & 4 deletions sbom/examples/rpm/regenerate.sh

This file was deleted.

85 changes: 85 additions & 0 deletions sbom/examples/rpm/release/add_release_data.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
import json
import sys

from packageurl import PackageURL

repo_id_map = {
# https://access.redhat.com/downloads/content/openshift-pipelines-client/1.15.0-11496.el8/x86_64/fd431d51/package
"openshift-pipelines-client-1.14.3-11352.el8": ["pipelines-1.14-for-rhel-8-{arch}-rpms"],
# https://access.redhat.com/downloads/content/openssl/3.0.7-18.el9_2/x86_64/fd431d51/package
"openssl-3.0.7-18.el9_2": [
"rhel-9-for-{arch}-baseos-eus-rpms",
"rhel-9-for-{arch}-baseos-aus-rpms",
"rhel-9-for-{arch}-baseos-e4s-rpms",
],
# https://access.redhat.com/downloads/content/poppler/21.01.0-19.el9/x86_64/fd431d51/package
"poppler-21.01.0-19.el9": [
"rhel-9-for-{arch}-appstream-rpms",
"rhel-9-for-{arch}-baseos-eus-rpms",
"rhel-9-for-{arch}-baseos-aus-rpms",
"rhel-9-for-{arch}-baseos-e4s-rpms",
],
}


def get_rpm_purl(ext_refs):
purl_str = next(
(ref["referenceLocator"] for ref in ext_refs if ref["referenceType"] == "purl"),
None,
)
if purl_str is None or (not purl_str.startswith("pkg:rpm/redhat")):
return None
return PackageURL.from_string(purl_str)


sbom_file = sys.argv[1]
sbom_name = sbom_file.rsplit("/", 1)[-1].removesuffix(".spdx.json")

if sbom_name not in repo_id_map:
print(f"ERROR: Repo ID mapping for {sbom_name} not defined!")
sys.exit(1)

with open(sbom_file) as fp:
sbom = json.load(fp)

all_arches = set()
for pkg in sbom["packages"]:
purl = get_rpm_purl(pkg.get("externalRefs", []))
if purl is not None and purl.qualifiers["arch"] != "src":
all_arches.add(purl.qualifiers["arch"])

for pkg in sbom["packages"]:
purl = get_rpm_purl(pkg.get("externalRefs", []))
if purl is None:
continue

new_refs = []
for repo_id in repo_id_map[sbom_name]:
if purl.qualifiers["arch"] == "src":
for arch in all_arches:
purl.qualifiers["repository_id"] = (
repo_id.format(arch=arch).removesuffix("-rpms") + "-source-rpms"
)
release_ref = {
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": purl.to_string(),
}
new_refs.append(release_ref)
else:
if purl.name.endswith("-debugsource"):
repo_id = repo_id.removesuffix("-rpms") + "-source-rpms"
elif purl.name.endswith("-debuginfo"):
repo_id = repo_id.replace("-rpms", "-debug-rpms")
purl.qualifiers["repository_id"] = repo_id.format(arch=purl.qualifiers["arch"])
release_ref = {
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": purl.to_string(),
}
new_refs.append(release_ref)

pkg["externalRefs"] = new_refs

with open(f"{sbom_name}.spdx.json", "w") as fp:
json.dump(sbom, fp, indent=2)
Loading

0 comments on commit 63b08a7

Please sign in to comment.