Skip to content

Commit

Permalink
build-receipe-mkosi support for generate_sbom
Browse files Browse the repository at this point in the history 
Added support for generate_sbom through a finalize script.

Tested with mkosi 22 on Debian Testing.
The used version needs to support configuration dir feature and multiple
scripts of same name (mkosi v18)

Mkosi builds in using tmpfs and other security features and removes
everything after building, so it is not possible to call generate_sbom
after mkosi run on the buildroot.

Content of `/.build` needs to be copied into a place under `/usr`
because most host directories are hidden from mkosi (introduced in mkosi
v20)
  • Loading branch information
@cschneemann
cschneemann committed May 23, 2024
1 parent d090822 commit 58ccc54
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions build-recipe-mkosi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,33 @@ recipe_build_mkosi() {
if [ -n "$RELEASE" ]; then
image_version="--image-version=${RELEASE}"
fi

for format in $(queryconfig --dist "$BUILD_DIST" --configdir "$CONFIG_DIR" --archpath "$BUILD_ARCH" buildflags+ sbom | sort -u) ; do
# workaround as /.build/ is not available in chroot
mkdir -p "$TOPDIR/scripts"
cp -r "/.build/" "$TOPDIR/scripts"
chmod +x "$TOPDIR/scripts/.build/generate_sbom"
mkdir -p $BUILD_ROOT/$TOPDIR/SOURCES/mkosi.conf.d/99-sbom/
echo "generating script for sbom $format"
cat << EOF >> $BUILD_ROOT/$TOPDIR/SOURCES/mkosi.conf.d/99-sbom/mkosi.finalize
#!/usr/bin/bash
# script generated by build-receipe-mkosi for sbom buildflags
echo "Generating $format sbom file"
imgname="image.${RELEASE}"
export PERL5LIB="$TOPDIR/scripts/.build"
$TOPDIR/scripts/.build/generate_sbom \
--dist "$TOPDIR/scripts/$BUILD_DIST" \
--configdir "$TOPDIR/scripts/$CONFIG_DIR" \
--archpath "$BUILD_ARCH" \
--format "$format" \
--dir \$BUILDROOT > "\$OUTPUTDIR/\${imgname}${buildnum}.${format/cyclonedx/cdx}.json"
pushd \$OUTPUTDIR >/dev/null
/usr/bin/sha256sum "\${imgname}${buildnum}.${format/cyclonedx/cdx}.json" > "\${imgname}${buildnum}.${format/cyclonedx/cdx}.json".sh256
popd >/dev/null
EOF
chmod +x $BUILD_ROOT/$TOPDIR/SOURCES/mkosi.conf.d/99-sbom/mkosi.finalize
done

set -- mkosi \
--directory "$TOPDIR/SOURCES" \
--default \
Expand Down

0 comments on commit 58ccc54

Please sign in to comment.