Add initial support for generating SPDX SBOM documents (COMPOSER-2274) #4359
Conversation
thozza
force-pushed
the
sbom-poc
branch
3 times, most recently
from
f5da6bb
to
4d44504
Compare
thozza
changed the title
thozza
force-pushed
the
sbom-poc
branch
6 times, most recently
from
d7945ea
to
16a0b40
Compare
Update the ref to the v129, which supports SBOM documents. Signed-off-by: Tomáš Hozza <[email protected]>
This is needed to be able to install osbuild RPM builds, because that repo uses newer snapshots. Signed-off-by: Tomáš Hozza <[email protected]>
Signed-off-by: Tomáš Hozza <[email protected]>
Adjust all paces that call `Solver.Depsolve()`, to cope with the changes that enabled SBOM support. Fix loading of testing repositories in the CloudAPI unit tests. Signed-off-by: Tomáš Hozza <[email protected]>
This is needed for the SBOM support Signed-off-by: Tomáš Hozza <[email protected]>
Signed-off-by: Tomáš Hozza <[email protected]>
Add support to the `DepsolveJob` for requesting SBOM documents and returning the results from the job. Signed-off-by: Tomáš Hozza <[email protected]>
Signed-off-by: Tomáš Hozza <[email protected]>
For Koji composes, all files are uploaded to Koji as part of the osbuild job (specifically as part of handling the Koji target). So in order to be able to upload SBOM documents to Koji as part of Koji compose, the osbuild job needs to to be able to access the depsolve job result, which contains the SBOM documents. For this, the osbuild job must depend on the depsolve job. For Koji composes, make sure that osbuild job depends on the depsolve job and set the DepsolveDynArgsIdx. Signed-off-by: Tomáš Hozza <[email protected]>
Extend the Koji target result struct with an optional slice for uploaded SBOM documents. Signed-off-by: Tomáš Hozza <[email protected]>
If the Koji target result contains information about any uploaded SBOM documents, import them to Koji as part of the finalize task. Signed-off-by: Tomáš Hozza <[email protected]>
Extend the Koji target handling in the osbuild job, to also upload SBOM documents attached to the related depsolve job result. Signed-off-by: Tomáš Hozza <[email protected]>
Adjust the test case to cope with the SPDX SBOM documents uploaded to the Koji. Also explicitly check that there is the expected number of SBOM documents uploaded as the image build output. Signed-off-by: Tomáš Hozza <[email protected]>
We have been testing builds of RHEL-9 on RHEL-8 for the Koji use case. However, all of our workers are now running the latest GA RHEL-9 version. Therefore we should flip the test and test building of RHEL-8 on RHEL-9. Signed-off-by: Tomáš Hozza <[email protected]>
This is what is currently happening on our Brew workers. Signed-off-by: Tomáš Hozza <[email protected]>
None of our worker is running RHEL-8 any more. There's no value in testing the Koji scenario on RHEL-8, RHEL-9 is fully sufficient. Signed-off-by: Tomáš Hozza <[email protected]>
Extend the `manifestJobResultsFromJobDeps()` function to also return the manifest `JobInfo`. This will be useful to inspect the job dependencies and eliminate the need to add a specialized function for getting only the `JobInfo`. Signed-off-by: Tomáš Hozza <[email protected]>
Add a new /sboms API endpoint, for getting SBOM documents for a given compose ID. The endpoint returns an array of SBOM documents for each image built as part of the compose. For each image, there is an SBOM document for each osbuild pipeline, which installs RPM packages. This is usually one 'buildroot' and one 'image' pipeline. Signed-off-by: Tomáš Hozza <[email protected]>
Extend the unit test for regular (non-Koji) composes, to verify that the newly added /sboms endpoint works correctly. Signed-off-by: Tomáš Hozza <[email protected]>
Extend the API unit test for Koji composes, to verify that the newly added /sboms endpoint works correctly. Signed-off-by: Tomáš Hozza <[email protected]>
This is needed for GPG key import to work on RHEL-9, because the key uses SHA-1. This results in the following error when importing the key during the build of the build container: "Signature not supported. Hash algorithm SHA1 not available." We do not need the AUX key in our RHEL-8 repo definitions used for testing. Signed-off-by: Tomáš Hozza <[email protected]>
thozza
requested review from
ondrejbudai,
mvo5,
achilleas-k,
schuellerf,
croissanne,
kingsleyzissou and
supakeen
| return nil, fmt.Errorf("Failed to get job type for dependency %q: %v", manifestDepUUID, err) | ||
| } | ||
|
|
||
| if depJobType == worker.JobTypeDepsolve { |
There was a problem hiding this comment.
NITPICK: Flipping the condition with continue would decrease the indentation for the largest part of the loop body, which is nicer IMO.
There was a problem hiding this comment.
Yeah, I don't see any problem with it.
| } | ||
|
|
||
| // There should be only one depsolve job per OSBuild job | ||
| break |
There was a problem hiding this comment.
Should this break be inside the depJobType == worker.JobTypeDepsolve block? The way it is now, only one the first manifestJobInfo.Deps element is considered. Is that always a depsolve job and nothing else? I guess no, otherwise we'd just be using manifestJobInfo.Deps[0] right?
There was a problem hiding this comment.
Should this break be inside the depJobType == worker.JobTypeDepsolve block?
It actually is inside block as far as I can tell 🤔
So the break is at the correct place, but this is a bit of a premature optimization based on the current implementation. Let me explain.
I implemented sbomsFromOSBuildJob() in a way, so that it uses the same approach to get SBOMs from OSBuildJob, regardless if it is from a Koji or non-Koji compose.
Just for the completeness, for Koji composes, the DepsolveJob is a dependency of the OSBuildJob, so that it can access SBOMs and upload them to Koji. For non-Koji composes, the DepsolveJob is not a direct dependency of the OSBuildJob and one must go through the ManifestJob as to get to DepsolveJob.
There's always only a single DepsolveJob in the compose job chain, thus the break. But there may be more than one item in manifestJobInfo.Deps and DepsolveJob does not have a fixed index.
| required: true | ||
| description: ID of compose SBOMs to get | ||
| description: |- | ||
| Get the manifests of a running or finished compose. |
| format: uuid | ||
| example: 123e4567-e89b-12d3-a456-426655440000 | ||
| required: true | ||
| description: ID of compose SBOMs to get |
There was a problem hiding this comment.
NITPICK: This is a bit awkwardly phrased and might be misunderstood as "ID of SBOMs". In other words, it kinda sounds like "compose-SBOM" is the object being fetched, so it wants the ID of that, but instead it's the compose ID it needs.
Maybe something like:
ID of compose for which to get SBOMs
though I'm not too happy about that one either.
There was a problem hiding this comment.
I agree that this is not great by any means 😄 I'll happily use your suggestion.
Depends on:
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) osbuild#1818
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) images#930
Extend the worker
Depsolvejob to allow requesting an SBOM document for each transaction. The SBOM documents are returned in theDepsolveJobResult.CloudAPI:
Depsolvejob./composes/{id}/sbomsAPI endpoint for requesting SBOM documents for composes./composes/{id}/sbomsAPI endpoint.There's no support for SBOMs added to Weldr API.
Koji:
KojiFinalizejob to import all SBOM documents uploaded to the Koji build and listed in the Koji target result.OSBuildjob, to upload all SBOM documents, related to theOSBuildjob, to the Koji build and list them in theKojitarget result. Uploaded SBOM documents use the following filenames:<image_filename>.<pipeline_purpose>-<pipeline_name>.spdx.json.koji.shtest case to verify the uploaded SBOM documents in Koji builds.koji.sh. Specifically, test the main scenario on RHEL-9 and in addition, test building of RHEL-8 and RHEL-10 on RHEL-9.Details
SBOM documents are attached to
DepsolveJobResult. For each package set that was depsolved, there will be a corresponding SBOM document.DepsolveJobusually contains at least two package sets for any image type - for the at least oneimagepipeline and for thebuildrootpipeline.Koji composes may contain multiple image builds as part of a single compose request. Therefore the
/composes/{id}/sbomsendpoint returns multiple SBOM documents for each image build. The returned value may look as follows for a Koji compose that consists of two image builds:{ "href": "/api/image-builder-composer/v2/composes/356f4620-c03e-3830-b013-ddbfee6665aa/sboms", "id": "356f4620-c03e-3830-b013-ddbfee6665aa", "kind": "ComposeSBOMs", "items": [ [ { "pipeline_name": "build", "pipeline_purpose": "buildroot", "sbom": <sbom_doc>, "sbom_type": "spdx" }, { "pipeline_name": "os", "pipeline_purpose": "image", "sbom": <sbom_doc>, "sbom_type": "spdx" } ], [ { "pipeline_name": "build", "pipeline_purpose": "buildroot", "sbom": <sbom_doc>, "sbom_type": "spdx" }, { "pipeline_name": "os", "pipeline_purpose": "image", "sbom": <sbom_doc>, "sbom_type": "spdx" } ] ] }pipeline_purposedescribes the purpose of a pipeline.imagemeans that the content described in the SBOM document is installed in the actual image.buildrootmeans that the content described in the SBOM document was installed in the environment used to build the image. This terminology is consistent with how we name thing internally.pipeline_nameis the actual name of the osbuild pipeline, in which the described content got installed.sbomis the actual SBOM document.sbom_typedescribes the SBOM standard / type of the SBOM document. Currently, it will be alwaysspdx.