From ca3589743378a7750b9e6a8e19b904d57986cce4 Mon Sep 17 00:00:00 2001 From: Lars Ellenberg Date: Wed, 28 Aug 2024 20:00:36 +0200 Subject: [PATCH 08/32] build: generate spdx.json, not "tag value" format Generates .spdx.json files in SPDX-json format instead of tag/value. This appears to be more machine friendly. Use jq with "null" input and \(env.) string interpolation in templates. Move all this to a new ./sbom/ subdirectory. --- Makefile | 74 ++----------------- sbom/Makefile | 24 ++++++ .../drbd-kmod.cdx.json.in | 8 +- sbom/drbd-kmod.spdx.json.in | 32 ++++++++ 4 files changed, 68 insertions(+), 70 deletions(-) create mode 100644 sbom/Makefile rename drbd-kmod.cdx.json.in => sbom/drbd-kmod.cdx.json.in (84%) create mode 100644 sbom/drbd-kmod.spdx.json.in diff --git a/Makefile b/Makefile index 80c20d24ab54..37ffcd777d09 100644 --- a/Makefile +++ b/Makefile @@ -92,6 +92,8 @@ ifndef FDIST_VERSION FDIST_VERSION := $(DIST_VERSION) endif +export REL_VERSION FDIST_VERSION + all: module tools .PHONY: all tools module @@ -189,76 +191,15 @@ drbd/.drbd_git_revision: FORCE @echo >&2 "Need a git checkout to regenerate $@"; test -s $@ endif -export define SPDX_TEMPLATE -SPDXVersion: SPDX-2.3 -DataLicense: CC0-1.0 -SPDXID: SPDXRef-DOCUMENT -DocumentName: drbd kernel module SBOM (software bill of materials) -DocumentNamespace: https://linbit.org/spdx-docs/drbd-kmod-$(SPDX_VERSION)-$(SPDX_UUID) -Creator: Person: Philipp Reisner (philipp.reisner@linbit.com) -Created: $(SPDX_DATE) - -PackageName: $(SPDX_PKG_NAME) -SPDXID: SPDXRef-Package-$(SPDX_PKG_NAME) -PackageVersion: $(SPDX_VERSION) -PackageSupplier: Organization: LINBIT HA-Solutions GmbH -PackageDownloadLocation: https://github.com/LINBIT/drbd -FilesAnalyzed: false -PackageLicenseDeclared: GPL-2.0-only -PackageCopyrightText: 2001-2008, LINBIT Information Technologies GmbH -2008-$(SPDX_YEAR), LINBIT HA-Solutions GmbH -Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-$(SPDX_PKG_NAME) -endef - -# only call this wrapper from drbd-kmod_{sles,rhel}.spdx -.PHONY: spdx-file -spdx-file: - @echo "$$SPDX_TEMPLATE" > $(SPDX_FILE_TMP) - -.PHONY: drbd-kmod_rhel.spdx drbd-kmod_sles.spdx -drbd-kmod_rhel.spdx drbd-kmod_sles.spdx: - @set -e; ( truncate -s0 $@.tmp; \ - SPDX_DATE="$$(date --utc +%FT%TZ)"; \ - SPDX_UUID="$$(cat /proc/sys/kernel/random/uuid)"; \ - SPDX_VERSION="$(REL_VERSION)"; \ - SPDX_YEAR="$$(date --utc +%Y)"; \ - case "$@" in \ - drbd-kmod_rhel.spdx) SPDX_PKG_NAME=kmod-drbd;; \ - drbd-kmod_sles.spdx) SPDX_PKG_NAME=drbd-kmp-default;; \ - *) false;; \ - esac; \ - test -n "$$SPDX_TEMPLATE"; \ - test -n "$$SPDX_DATE"; \ - test -n "$$SPDX_UUID"; \ - test -n "$$SPDX_VERSION"; \ - test -n "$$SPDX_YEAR"; \ - $(MAKE) spdx-file SPDX_UUID="$$SPDX_UUID" \ - SPDX_DATE="$$SPDX_DATE" \ - SPDX_FILE_TMP="$@.tmp" \ - SPDX_PKG_NAME="$$SPDX_PKG_NAME" \ - SPDX_VERSION="$$SPDX_VERSION" \ - SPDX_YEAR="$$SPDX_YEAR"; \ - mv $@.tmp $@; ) - -# only call this wrapper from drbd-kmod.cdx.json -.PHONY: cdx-sub -cdx-sub: - cat $(CDX_FILE).in | jq --args '.metadata.timestamp = "$(CDX_DATE)" | .metadata.component.version = "$(FDIST_VERSION)" | .metadata.component."bom-ref" = "$(PURL)" | .metadata.component.purl = "$(PURL)"' > $(CDX_FILE) - -.PHONY: drbd-kmod.cdx.json -drbd-kmod.cdx.json: - $(MAKE) -s cdx-sub CDX_DATE="$$(date --utc +%FT%TZ)" PURL="pkg:github/LINBIT/drbd@drbd-$(FDIST_VERSION)" CDX_FILE="$@" - ! grep -q __PLACEHOLDER__ $@ - # update of .filelist is forced: .fdist_version: FORCE @test -s $@ && test "$$(cat $@)" = "$(FDIST_VERSION)" || echo "$(FDIST_VERSION)" > $@ .filelist: .fdist_version FORCE @$(GIT) ls-files --recurse -- ':!:.git*' $(if $(PRESERVE_DEBIAN),,':!:debian') > $@.new + @test -s $@.new # assert there is something in .filelist.new now @mkdir -p drbd/drbd-kernel-compat/cocci_cache/ @find drbd/drbd-kernel-compat/cocci_cache/ -type f -not -path '*/\.*' >> $@.new - @test -s $@.new # assert there is something in .filelist.new now @mv $@.new $@ @echo "./.filelist updated." @@ -273,9 +214,10 @@ drbd-kmod.cdx.json: comma := , backslash_comma := \, escape_comma = $(subst $(comma),$(backslash_comma),$(1)) -tgz-extra-files := \ - .fdist_version drbd/.drbd_git_revision .filelist \ - drbd-kmod_rhel.spdx drbd-kmod_sles.spdx drbd-kmod.cdx.json +tgz-extra-files := .fdist_version drbd/.drbd_git_revision .filelist +tgz-extra-files += sbom/drbd-kmod_rhel.spdx.json +tgz-extra-files += sbom/drbd-kmod_sles.spdx.json +tgz-extra-files += sbom/drbd-kmod.cdx.json tgz: test -s .filelist # .filelist must be present test -n "$(FDIST_VERSION)" # FDIST_VERSION must be known @@ -318,7 +260,7 @@ debrelease: tarball: $(MAKE) distclean $(MAKE) check-submods check_all_committed drbd/.drbd_git_revision - $(MAKE) drbd-kmod_rhel.spdx drbd-kmod_sles.spdx drbd-kmod.cdx.json + $(MAKE) -C sbom drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json drbd-kmod.cdx.json $(MAKE) .filelist $(MAKE) tgz diff --git a/sbom/Makefile b/sbom/Makefile new file mode 100644 index 000000000000..757f57e4db60 --- /dev/null +++ b/sbom/Makefile @@ -0,0 +1,24 @@ + +# we inherit some variables from our "parent" Makefile +THIS_MAKEFILE := $(lastword $(MAKEFILE_LIST)) +$(foreach v,REL_VERSION FDIST_VERSION,$(if $($(v)),,$(error "Do not use this Makefile ($(THIS_MAKEFILE)) directly! ($(v) missing)))) + +all: drbd-kmod.cdx.json drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json + +export SPDX_VERSION SPDX_DATE SPDX_YEAR SPDX_UUID SPDX_PKG_NAME +SPDX_VERSION:=$(REL_VERSION) +SPDX_DATE:=$(shell date --utc +%FT%TZ) +SPDX_YEAR:=$(firstword $(subst -, ,$(SPDX_DATE))) +drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json: SPDX_UUID:=$(shell cat /proc/sys/kernel/random/uuid) +drbd-kmod_rhel.spdx.json: SPDX_PKG_NAME:=kmod-drbd +drbd-kmod_sles.spdx.json: SPDX_PKG_NAME:=drbd-kmp-default +drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json: FORCE + @rm -f $@; jq -n -f drbd-kmod.spdx.json.in > $@.tmp && mv $@.tmp $@ + +# uses: +# SPDX_DATE from above and FDIST_VERSION from parent Makefile +drbd-kmod.cdx.json: FORCE + @rm -f $@; jq -n -f drbd-kmod.cdx.json.in > $@.tmp && mv $@.tmp $@ + +.PHONY: FORCE +FORCE: diff --git a/drbd-kmod.cdx.json.in b/sbom/drbd-kmod.cdx.json.in similarity index 84% rename from drbd-kmod.cdx.json.in rename to sbom/drbd-kmod.cdx.json.in index ab4e05a43187..99858e8b9b43 100644 --- a/drbd-kmod.cdx.json.in +++ b/sbom/drbd-kmod.cdx.json.in @@ -2,7 +2,7 @@ "bomFormat": "CycloneDX", "specVersion": "1.5", "metadata": { - "timestamp": "__PLACEHOLDER__", + "timestamp": "\(env.SPDX_DATE)", "authors": [ { "name": "Philipp Reisner", @@ -16,9 +16,9 @@ "component": { "type": "application", "name": "kmod-drbd", - "version": "__PLACEHOLDER__", - "bom-ref": "__PLACEHOLDER__", - "purl": "__PLACEHOLDER__", + "version": "\(env.FDIST_VERSION)", + "bom-ref": "pkg:github/LINBIT/drbd@drbd-\(env.FDIST_VERSION)", + "purl": "pkg:github/LINBIT/drbd@drbd-\(env.FDIST_VERSION)", "licenses": [ { "licenses": { diff --git a/sbom/drbd-kmod.spdx.json.in b/sbom/drbd-kmod.spdx.json.in new file mode 100644 index 000000000000..07c1003f8834 --- /dev/null +++ b/sbom/drbd-kmod.spdx.json.in @@ -0,0 +1,32 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "\(env.SPDX_DATE)", + "creators": [ + "Person: Philipp Reisner (philipp.reisner@linbit.com)" + ] + }, + "name": "drbd kernel module SBOM (software bill of materials)", + "dataLicense": "CC0-1.0", + "documentNamespace": "https://linbit.org/spdx-docs/drbd-kmod-\(env.SPDX_VERSION)-\(env.SPDX_UUID)", + "packages": [ + { + "SPDXID": "SPDXRef-Package-\(env.SPDX_PKG_NAME)", + "copyrightText": "2001-2008, LINBIT Information Technologies GmbH\n2008-\(env.SPDX_YEAR), LINBIT HA-Solutions GmbH", + "downloadLocation": "https://github.com/LINBIT/drbd", + "filesAnalyzed": false, + "licenseDeclared": "GPL-2.0-only", + "name": "\(env.SPDX_PKG_NAME)", + "supplier": "Organization: LINBIT HA-Solutions GmbH", + "versionInfo": "\(env.SPDX_VERSION)" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-Package-\(env.SPDX_PKG_NAME)" + } + ] +} -- 2.35.3