drbd/0008-build-generate-spdx.json-not-tag-value-format.patch
2025-01-08 07:34:16 +00:00

236 lines
8.4 KiB
Diff

From ca3589743378a7750b9e6a8e19b904d57986cce4 Mon Sep 17 00:00:00 2001
From: Lars Ellenberg <lars.ellenberg@linbit.com>
Date: Wed, 28 Aug 2024 20:00:36 +0200
Subject: [PATCH 08/32] build: generate spdx.json, not "tag value" format
Generates .spdx.json files in SPDX-json format instead of tag/value.
This appears to be more machine friendly.
Use jq with "null" input and \(env.<environment-variable-name>) string interpolation in templates.
Move all this to a new ./sbom/ subdirectory.
---
Makefile | 74 ++-----------------
sbom/Makefile | 24 ++++++
.../drbd-kmod.cdx.json.in | 8 +-
sbom/drbd-kmod.spdx.json.in | 32 ++++++++
4 files changed, 68 insertions(+), 70 deletions(-)
create mode 100644 sbom/Makefile
rename drbd-kmod.cdx.json.in => sbom/drbd-kmod.cdx.json.in (84%)
create mode 100644 sbom/drbd-kmod.spdx.json.in
diff --git a/Makefile b/Makefile
index 80c20d24ab54..37ffcd777d09 100644
--- a/Makefile
+++ b/Makefile
@@ -92,6 +92,8 @@ ifndef FDIST_VERSION
FDIST_VERSION := $(DIST_VERSION)
endif
+export REL_VERSION FDIST_VERSION
+
all: module tools
.PHONY: all tools module
@@ -189,76 +191,15 @@ drbd/.drbd_git_revision: FORCE
@echo >&2 "Need a git checkout to regenerate $@"; test -s $@
endif
-export define SPDX_TEMPLATE
-SPDXVersion: SPDX-2.3
-DataLicense: CC0-1.0
-SPDXID: SPDXRef-DOCUMENT
-DocumentName: drbd kernel module SBOM (software bill of materials)
-DocumentNamespace: https://linbit.org/spdx-docs/drbd-kmod-$(SPDX_VERSION)-$(SPDX_UUID)
-Creator: Person: Philipp Reisner (philipp.reisner@linbit.com)
-Created: $(SPDX_DATE)
-
-PackageName: $(SPDX_PKG_NAME)
-SPDXID: SPDXRef-Package-$(SPDX_PKG_NAME)
-PackageVersion: $(SPDX_VERSION)
-PackageSupplier: Organization: LINBIT HA-Solutions GmbH
-PackageDownloadLocation: https://github.com/LINBIT/drbd
-FilesAnalyzed: false
-PackageLicenseDeclared: GPL-2.0-only
-PackageCopyrightText: <text>2001-2008, LINBIT Information Technologies GmbH
-2008-$(SPDX_YEAR), LINBIT HA-Solutions GmbH</text>
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-$(SPDX_PKG_NAME)
-endef
-
-# only call this wrapper from drbd-kmod_{sles,rhel}.spdx
-.PHONY: spdx-file
-spdx-file:
- @echo "$$SPDX_TEMPLATE" > $(SPDX_FILE_TMP)
-
-.PHONY: drbd-kmod_rhel.spdx drbd-kmod_sles.spdx
-drbd-kmod_rhel.spdx drbd-kmod_sles.spdx:
- @set -e; ( truncate -s0 $@.tmp; \
- SPDX_DATE="$$(date --utc +%FT%TZ)"; \
- SPDX_UUID="$$(cat /proc/sys/kernel/random/uuid)"; \
- SPDX_VERSION="$(REL_VERSION)"; \
- SPDX_YEAR="$$(date --utc +%Y)"; \
- case "$@" in \
- drbd-kmod_rhel.spdx) SPDX_PKG_NAME=kmod-drbd;; \
- drbd-kmod_sles.spdx) SPDX_PKG_NAME=drbd-kmp-default;; \
- *) false;; \
- esac; \
- test -n "$$SPDX_TEMPLATE"; \
- test -n "$$SPDX_DATE"; \
- test -n "$$SPDX_UUID"; \
- test -n "$$SPDX_VERSION"; \
- test -n "$$SPDX_YEAR"; \
- $(MAKE) spdx-file SPDX_UUID="$$SPDX_UUID" \
- SPDX_DATE="$$SPDX_DATE" \
- SPDX_FILE_TMP="$@.tmp" \
- SPDX_PKG_NAME="$$SPDX_PKG_NAME" \
- SPDX_VERSION="$$SPDX_VERSION" \
- SPDX_YEAR="$$SPDX_YEAR"; \
- mv $@.tmp $@; )
-
-# only call this wrapper from drbd-kmod.cdx.json
-.PHONY: cdx-sub
-cdx-sub:
- cat $(CDX_FILE).in | jq --args '.metadata.timestamp = "$(CDX_DATE)" | .metadata.component.version = "$(FDIST_VERSION)" | .metadata.component."bom-ref" = "$(PURL)" | .metadata.component.purl = "$(PURL)"' > $(CDX_FILE)
-
-.PHONY: drbd-kmod.cdx.json
-drbd-kmod.cdx.json:
- $(MAKE) -s cdx-sub CDX_DATE="$$(date --utc +%FT%TZ)" PURL="pkg:github/LINBIT/drbd@drbd-$(FDIST_VERSION)" CDX_FILE="$@"
- ! grep -q __PLACEHOLDER__ $@
-
# update of .filelist is forced:
.fdist_version: FORCE
@test -s $@ && test "$$(cat $@)" = "$(FDIST_VERSION)" || echo "$(FDIST_VERSION)" > $@
.filelist: .fdist_version FORCE
@$(GIT) ls-files --recurse -- ':!:.git*' $(if $(PRESERVE_DEBIAN),,':!:debian') > $@.new
+ @test -s $@.new # assert there is something in .filelist.new now
@mkdir -p drbd/drbd-kernel-compat/cocci_cache/
@find drbd/drbd-kernel-compat/cocci_cache/ -type f -not -path '*/\.*' >> $@.new
- @test -s $@.new # assert there is something in .filelist.new now
@mv $@.new $@
@echo "./.filelist updated."
@@ -273,9 +214,10 @@ drbd-kmod.cdx.json:
comma := ,
backslash_comma := \,
escape_comma = $(subst $(comma),$(backslash_comma),$(1))
-tgz-extra-files := \
- .fdist_version drbd/.drbd_git_revision .filelist \
- drbd-kmod_rhel.spdx drbd-kmod_sles.spdx drbd-kmod.cdx.json
+tgz-extra-files := .fdist_version drbd/.drbd_git_revision .filelist
+tgz-extra-files += sbom/drbd-kmod_rhel.spdx.json
+tgz-extra-files += sbom/drbd-kmod_sles.spdx.json
+tgz-extra-files += sbom/drbd-kmod.cdx.json
tgz:
test -s .filelist # .filelist must be present
test -n "$(FDIST_VERSION)" # FDIST_VERSION must be known
@@ -318,7 +260,7 @@ debrelease:
tarball:
$(MAKE) distclean
$(MAKE) check-submods check_all_committed drbd/.drbd_git_revision
- $(MAKE) drbd-kmod_rhel.spdx drbd-kmod_sles.spdx drbd-kmod.cdx.json
+ $(MAKE) -C sbom drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json drbd-kmod.cdx.json
$(MAKE) .filelist
$(MAKE) tgz
diff --git a/sbom/Makefile b/sbom/Makefile
new file mode 100644
index 000000000000..757f57e4db60
--- /dev/null
+++ b/sbom/Makefile
@@ -0,0 +1,24 @@
+
+# we inherit some variables from our "parent" Makefile
+THIS_MAKEFILE := $(lastword $(MAKEFILE_LIST))
+$(foreach v,REL_VERSION FDIST_VERSION,$(if $($(v)),,$(error "Do not use this Makefile ($(THIS_MAKEFILE)) directly! ($(v) missing))))
+
+all: drbd-kmod.cdx.json drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json
+
+export SPDX_VERSION SPDX_DATE SPDX_YEAR SPDX_UUID SPDX_PKG_NAME
+SPDX_VERSION:=$(REL_VERSION)
+SPDX_DATE:=$(shell date --utc +%FT%TZ)
+SPDX_YEAR:=$(firstword $(subst -, ,$(SPDX_DATE)))
+drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json: SPDX_UUID:=$(shell cat /proc/sys/kernel/random/uuid)
+drbd-kmod_rhel.spdx.json: SPDX_PKG_NAME:=kmod-drbd
+drbd-kmod_sles.spdx.json: SPDX_PKG_NAME:=drbd-kmp-default
+drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json: FORCE
+ @rm -f $@; jq -n -f drbd-kmod.spdx.json.in > $@.tmp && mv $@.tmp $@
+
+# uses:
+# SPDX_DATE from above and FDIST_VERSION from parent Makefile
+drbd-kmod.cdx.json: FORCE
+ @rm -f $@; jq -n -f drbd-kmod.cdx.json.in > $@.tmp && mv $@.tmp $@
+
+.PHONY: FORCE
+FORCE:
diff --git a/drbd-kmod.cdx.json.in b/sbom/drbd-kmod.cdx.json.in
similarity index 84%
rename from drbd-kmod.cdx.json.in
rename to sbom/drbd-kmod.cdx.json.in
index ab4e05a43187..99858e8b9b43 100644
--- a/drbd-kmod.cdx.json.in
+++ b/sbom/drbd-kmod.cdx.json.in
@@ -2,7 +2,7 @@
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"metadata": {
- "timestamp": "__PLACEHOLDER__",
+ "timestamp": "\(env.SPDX_DATE)",
"authors": [
{
"name": "Philipp Reisner",
@@ -16,9 +16,9 @@
"component": {
"type": "application",
"name": "kmod-drbd",
- "version": "__PLACEHOLDER__",
- "bom-ref": "__PLACEHOLDER__",
- "purl": "__PLACEHOLDER__",
+ "version": "\(env.FDIST_VERSION)",
+ "bom-ref": "pkg:github/LINBIT/drbd@drbd-\(env.FDIST_VERSION)",
+ "purl": "pkg:github/LINBIT/drbd@drbd-\(env.FDIST_VERSION)",
"licenses": [
{
"licenses": {
diff --git a/sbom/drbd-kmod.spdx.json.in b/sbom/drbd-kmod.spdx.json.in
new file mode 100644
index 000000000000..07c1003f8834
--- /dev/null
+++ b/sbom/drbd-kmod.spdx.json.in
@@ -0,0 +1,32 @@
+{
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "spdxVersion": "SPDX-2.3",
+ "creationInfo": {
+ "created": "\(env.SPDX_DATE)",
+ "creators": [
+ "Person: Philipp Reisner (philipp.reisner@linbit.com)"
+ ]
+ },
+ "name": "drbd kernel module SBOM (software bill of materials)",
+ "dataLicense": "CC0-1.0",
+ "documentNamespace": "https://linbit.org/spdx-docs/drbd-kmod-\(env.SPDX_VERSION)-\(env.SPDX_UUID)",
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package-\(env.SPDX_PKG_NAME)",
+ "copyrightText": "2001-2008, LINBIT Information Technologies GmbH\n2008-\(env.SPDX_YEAR), LINBIT HA-Solutions GmbH",
+ "downloadLocation": "https://github.com/LINBIT/drbd",
+ "filesAnalyzed": false,
+ "licenseDeclared": "GPL-2.0-only",
+ "name": "\(env.SPDX_PKG_NAME)",
+ "supplier": "Organization: LINBIT HA-Solutions GmbH",
+ "versionInfo": "\(env.SPDX_VERSION)"
+ }
+ ],
+ "relationships": [
+ {
+ "spdxElementId": "SPDXRef-DOCUMENT",
+ "relationshipType": "DESCRIBES",
+ "relatedSpdxElement": "SPDXRef-Package-\(env.SPDX_PKG_NAME)"
+ }
+ ]
+}
--
2.35.3