Added SPDX format support in sbom scripts [CLOUDDST-24250]

[midnightercz]

Added support of SPDX format for helper scripts manipulating SBOMs [CLOUDDST-24250]
Related to ADR 0039-spdx-support

[chmeliik]

Thanks for the contribution!

Could you give the PR a more thorough description and link the relevant issues, docs etc.? There's a lot of guesswork for us here.

(Reviewed only base_images_sbom_script.py so far)

[mkosiarc]

If the newly added scripts are to be used in the buildah task in konflux, they need to be added to the Dockerfile as well - https://github.com/konflux-ci/build-tasks-dockerfiles/blob/main/sbom-utility-scripts/Dockerfile

This means it will be part of the image that is used in the individual steps that are working with sbom in the buildah task, e.g. https://github.com/konflux-ci/build-tasks-dockerfiles/blob/main/sbom-utility-scripts/Dockerfile

[mkosiarc]

Is this work tracked internally somewhere?

[mkosiarc]

Seems that the CI did not run automatically because you are not a maintainer. I had to approve it and it seems to run now. Sorry about that.

The new testcase is failing:

        else:
>           root_element1, map1, inverse_map1 = map_relationships(sbom['relationships'])
E           KeyError: 'relationships'
base_images_sbom_script.py:165: KeyError
=========================== short test summary info ============================
FAILED test_base_images_sbom_script.py::test_main_input_sbom_spdx_minimal - K...

You can also test this locally with tox -e test

[midnightercz]

Is this work tracked internally somewhere?

It's tracked in CLOUDDST-24250, I created the issue after I started working on this, so that's why it's not in the commit mesage

[mkosiarc]

this is probably left by mistake?

[mkosiarc]

@chmeliik does @midnightercz need to be added to the rhtap-build namespace, so that the pipeline can be triggered from this PR?

[chmeliik]

just needs /ok-to-test no?

Huh, maybe not 😕

[chmeliik]

/retest

[chmeliik]

/ok-to-test

[mkosiarc]

Is this work tracked internally somewhere?

It's tracked in CLOUDDST-24250, I created the issue after I started working on this, so that's why it's not in the commit mesage

You could always edit the commit message and make life easier for everybody in the future, but now it is at least mentioned in the pull request.

[mkosiarc]

/ok-to-test

[mmorhun]

/ok-to-test

[tkdchen]

Please describe the problem, which this PR addresses, in detail in the commit message of 1b01170. The information may be about what is missing by current implementation, what's the purpose of adding SPDX format support, etc.

[midnightercz]

Please describe the problem, which this PR addresses, in detail in the commit message of 1b01170. The information may be about what is missing by current implementation, what's the purpose of adding SPDX format support, etc.

I added information about ADR describing the problem

[zregvart]

What can be done to get this merged? The EC team is awaiting this work to be done before proceeding with the full SPDX support.

[chmeliik]

What can be done to get this merged? The EC team is awaiting this work to be done before proceeding with the full SPDX support.

Currently the SPDX feature is in design phase konflux-ci/architecture#213

[midnightercz]

@chmeliik @zregvart I added changes from ADR in last commit + some explanatory comments. I also added test to compare merged cyclonedx and spdx to ensure they are equal (in sense of packages and purls).
Also, question: Is merge_syft_sboms_spdx.py used anywhere? It looks like it's not used in build-definitions repo. Is it possible it's deprecated script?

[zregvart]

Also, question: Is merge_syft_sboms_spdx.py used anywhere? It looks like it's not used in build-definitions repo. Is it possible it's deprecated script?

I've found no use of it anywhere

[chmeliik]

The whole package de-duplication approach for SPDX (the entire diff up to this function) is a bit overcomplicated and adds lots of code duplication.

Both syft and cachi2 never generate more than one purl for a package, and the purl format doesn't change between CDX and SPDX. So the deduplication logic should be identical between CDX and SPDX. The only difference should be whether we get the purl from .purl or from .externalReferences with .referenceType == "purl"

[midnightercz]

code duplication is intentional. Once we remove cyclonedx support, we can simply remove all non spdx related functions. If we enforce to support only one purl per package then logic could be simplified

[chmeliik]

If we enforce to support only one purl per package then logic could be simplified

yes please 🙏

[chmeliik]

Why are we merging the duplicated packages together for SPDX when we don't do it for CycloneDX? For CycloneDX, we simply drop the duplicated packages

[midnightercz]

for cyclonedx if the component is duplicated it's based on purl. That means the component is duplicate for sure. With SPDX considering possibility of multiple purls, is_duplicate_package returns True even on partial match of purls. Therefore considered removal of duplicated packages as possible information loss and that's why attributes of the duplicate package are merged with existing one instead of discarding whole package

[chmeliik]

Why do we only look at relatedSpdxElement for document 1 when we look at both spdxElementId and relatedSpdxElement for document 2?

[midnightercz]

Because in the first doc spdxElementId can be root element and in that case even relationships pointing to removed packages would be included