-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #17 from RedHatProductSecurity/add-release-time-rp…
…m-sbom-examples Add examples of release-time RPM SBOMs
- Loading branch information
Showing
15 changed files
with
34,944 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
black | ||
check-jsonschema | ||
packageurl-python | ||
ruff |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,17 +38,77 @@ | |
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-rpms" | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-eus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-rpms" | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-eus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-rpms" | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-eus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-eus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-aus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-aus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-aus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-aus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-e4s-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-e4s-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-e4s-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-e4s-source-rpms" | ||
}, | ||
{ | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-source-rpms" | ||
} | ||
], | ||
"checksums": [ | ||
|
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/usr/bin/env bash | ||
|
||
for example in *.json; do | ||
python3 from-koji.py "$@" "${example%.spdx.json}" | ||
done |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
import json | ||
import sys | ||
|
||
from packageurl import PackageURL | ||
|
||
repo_id_map = { | ||
# https://access.redhat.com/downloads/content/openshift-pipelines-client/1.15.0-11496.el8/x86_64/fd431d51/package | ||
"openshift-pipelines-client-1.14.3-11352.el8": ["pipelines-1.14-for-rhel-8-{arch}-rpms"], | ||
# https://access.redhat.com/downloads/content/openssl/3.0.7-18.el9_2/x86_64/fd431d51/package | ||
"openssl-3.0.7-18.el9_2": [ | ||
"rhel-9-for-{arch}-baseos-eus-rpms", | ||
"rhel-9-for-{arch}-baseos-aus-rpms", | ||
"rhel-9-for-{arch}-baseos-e4s-rpms", | ||
], | ||
# https://access.redhat.com/downloads/content/poppler/21.01.0-19.el9/x86_64/fd431d51/package | ||
"poppler-21.01.0-19.el9": [ | ||
"rhel-9-for-{arch}-appstream-rpms", | ||
"rhel-9-for-{arch}-baseos-eus-rpms", | ||
"rhel-9-for-{arch}-baseos-aus-rpms", | ||
"rhel-9-for-{arch}-baseos-e4s-rpms", | ||
], | ||
} | ||
|
||
|
||
def get_rpm_purl(ext_refs): | ||
purl_str = next( | ||
(ref["referenceLocator"] for ref in ext_refs if ref["referenceType"] == "purl"), | ||
None, | ||
) | ||
if purl_str is None or (not purl_str.startswith("pkg:rpm/redhat")): | ||
return None | ||
return PackageURL.from_string(purl_str) | ||
|
||
|
||
sbom_file = sys.argv[1] | ||
sbom_name = sbom_file.rsplit("/", 1)[-1].removesuffix(".spdx.json") | ||
|
||
if sbom_name not in repo_id_map: | ||
print(f"ERROR: Repo ID mapping for {sbom_name} not defined!") | ||
sys.exit(1) | ||
|
||
with open(sbom_file) as fp: | ||
sbom = json.load(fp) | ||
|
||
all_arches = set() | ||
for pkg in sbom["packages"]: | ||
purl = get_rpm_purl(pkg.get("externalRefs", [])) | ||
if purl is not None and purl.qualifiers["arch"] != "src": | ||
all_arches.add(purl.qualifiers["arch"]) | ||
|
||
for pkg in sbom["packages"]: | ||
purl = get_rpm_purl(pkg.get("externalRefs", [])) | ||
if purl is None: | ||
continue | ||
|
||
new_refs = [] | ||
for repo_id in repo_id_map[sbom_name]: | ||
if purl.qualifiers["arch"] == "src": | ||
for arch in all_arches: | ||
purl.qualifiers["repository_id"] = ( | ||
repo_id.format(arch=arch).removesuffix("-rpms") + "-source-rpms" | ||
) | ||
release_ref = { | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": purl.to_string(), | ||
} | ||
new_refs.append(release_ref) | ||
else: | ||
if purl.name.endswith("-debugsource"): | ||
repo_id = repo_id.removesuffix("-rpms") + "-source-rpms" | ||
elif purl.name.endswith("-debuginfo"): | ||
repo_id = repo_id.replace("-rpms", "-debug-rpms") | ||
purl.qualifiers["repository_id"] = repo_id.format(arch=purl.qualifiers["arch"]) | ||
release_ref = { | ||
"referenceCategory": "PACKAGE-MANAGER", | ||
"referenceType": "purl", | ||
"referenceLocator": purl.to_string(), | ||
} | ||
new_refs.append(release_ref) | ||
|
||
pkg["externalRefs"] = new_refs | ||
|
||
with open(f"{sbom_name}.spdx.json", "w") as fp: | ||
json.dump(sbom, fp, indent=2) |
Oops, something went wrong.