Skip to content

Commit 0b065a2

Browse files
cezar-rcezar-r
committed
chore: merge SBOM packages and remove old SBOM's
1 parent abdee51 commit 0b065a2

File tree

2 files changed

+44
-0
lines changed

2 files changed

+44
-0
lines changed

twoliter/embedded/.rpm2img.swp

40 KB
Binary file not shown.

twoliter/embedded/rpm2img

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -256,6 +256,50 @@ printf "%s\n" "${INVENTORY_DATA}" >"${ROOT_MOUNT}/usr/share/bottlerocket/applica
256256
# can access the inventory without needed to dig into the generated image.
257257
printf "%s\n" "${INVENTORY_DATA}" >"${OUTPUT_DIR}/application-inventory.json"
258258

259+
# Install SBOM subpackages for each installed RPM (only for EROFS images)
260+
if [[ "${EROFS_ROOT_PARTITION}" == "yes" ]]; then
261+
SBOM_RPMS=()
262+
while IFS= read -r rpm_name; do
263+
sbom_rpm="${rpm_name}-sbom"
264+
if rpm -q --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1; then
265+
SBOM_RPMS+=("${sbom_rpm}")
266+
else
267+
# Check if SBOM package file exists in local packages or external kits
268+
sbom_file=$(find "${PACKAGE_DIR}" -maxdepth 1 -name "${sbom_rpm}*.rpm" -print -quit)
269+
if [[ -z "${sbom_file}" && -n "${EXTERNAL_KITS_PATH}" ]]; then
270+
sbom_file=$(find "${EXTERNAL_KITS_PATH}" -name "${sbom_rpm}*.rpm" -print -quit)
271+
fi
272+
if [[ -n "${sbom_file}" ]]; then
273+
if rpm -iv --ignorearch --root "${ROOT_MOUNT}" "${sbom_file}" >/dev/null 2>&1; then
274+
SBOM_RPMS+=("${sbom_rpm}")
275+
fi
276+
fi
277+
fi
278+
done < <(rpm -qa --root "${ROOT_MOUNT}" --queryformat "%{NAME}\n")
279+
280+
# Merge SBOMs into a single json file
281+
KIT_SBOMS_DIR="${ROOT_MOUNT}/usr/share/sboms"
282+
if [ -d "${KIT_SBOMS_DIR}" ]; then
283+
IMAGE_SBOM_DIR="${ROOT_MOUNT}/usr/share/bottlerocket"
284+
mkdir -p "${IMAGE_SBOM_DIR}"
285+
for format in "spdx" "cyclonedx"; do
286+
image_sbom="${format}-sbom.json"
287+
image_sbom_path="${IMAGE_SBOM_DIR}/${image_sbom}"
288+
find "${KIT_SBOMS_DIR}" -name "*-${format}.json" -type f -exec sbomtool merge --output "${image_sbom_path}" {} \+
289+
290+
# Write the inventory to a file in the local build output directory
291+
cp "${image_sbom_path}" "${OUTPUT_DIR}/${image_sbom}"
292+
done
293+
# Clean up old SBOM packages
294+
rm -rf "${KIT_SBOMS_DIR}"
295+
fi
296+
297+
# Uninstall SBOM subpackages
298+
for sbom_rpm in "${SBOM_RPMS[@]}"; do
299+
rpm -e --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1 || true
300+
done
301+
fi
302+
259303
# Regenerate module dependencies, if possible.
260304
KMOD_DIR="${ROOT_MOUNT}/lib/modules"
261305
# First decompress the kernel modules, so they can be recompressed by EROFS.

0 commit comments

Comments
 (0)