Mkosi generate SBOM support using finalize script #1007
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added support for generate_sbom through a finalize script. Tested with mkosi 22 on Debian Testing. The used version needs to support configuration dir feature and multiple scripts of same name (mkosi v18) Mkosi builds in using tmpfs and other security features and removes everything after building, so it is not possible to call generate_sbom after mkosi run on the buildroot. Content of `/.build` needs to be copied into a place under `/usr` because most host directories are hidden from mkosi (introduced in mkosi v20)
The name for the spdx profile can be set using the macro `%mkosi_spdx_name` in the project configuration. Default is `image` if not set.
gollub
reviewed
May 28, 2024
build-recipe-mkosi
Outdated
| --format "$format" \ | ||
| --dir "$IMAGENAME" > "\$OUTPUTDIR/\${imgname}${buildnum}.${format/cyclonedx/cdx}.json" | ||
| pushd \$OUTPUTDIR >/dev/null | ||
| /usr/bin/sha256sum "\${imgname}${buildnum}.${format/cyclonedx/cdx}.json" > "\${imgname}${buildnum}.${format/cyclonedx/cdx}.json".sh256 |
gollub
reviewed
May 28, 2024
build-recipe-mkosi
Outdated
| echo "generating script for sbom $format" | ||
| cat << EOF >> $BUILD_ROOT/$TOPDIR/SOURCES/mkosi.conf.d/99-sbom/mkosi.finalize | ||
| #!/usr/bin/bash | ||
| # script generated by build-receipe-mkosi for sbom buildflags |
|
@gollub thank you.. typos fixed |
gollub
reviewed
May 28, 2024
No special macro is needed to set the filename, take ImageID (if set) or default to "image". Also no sha256 generateion needs to be done, mkosi creates it for all files in $OUTPUTDIR in "$IMAGENAME.SHA256SUMS"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tested with mkosi 22.
If Buildflag sbom is set a mkosi.finaliz script is created in a mkosi.conf.d subdirectory to not overwrite possible existent scripts and will be called at the end to call generate_sbom before mkosi creates the image.
The used version needs to support configuration dir feature and multiple scripts of same name (mkosi v18)
Mkosi builds in using tmpfs and other security features and removes everything after building, so it is not possible to call generate_sbom after mkosi run on the buildroot.
Content of
/.buildneeds to be copied into a place under/usrbecause most host directories are hidden from mkosi (introduced in mkosi v20)The name for the spdx profileis set by the ImageID of mkosi.conf. Default is
imageif not set.