diff --git a/twoliter/embedded/.rpm2img.swp b/twoliter/embedded/.rpm2img.swp new file mode 100644 index 00000000..2f9e6f02 Binary files /dev/null and b/twoliter/embedded/.rpm2img.swp differ diff --git a/twoliter/embedded/rpm2img b/twoliter/embedded/rpm2img index da83dbd0..857a739e 100755 --- a/twoliter/embedded/rpm2img +++ b/twoliter/embedded/rpm2img @@ -256,6 +256,50 @@ printf "%s\n" "${INVENTORY_DATA}" >"${ROOT_MOUNT}/usr/share/bottlerocket/applica # can access the inventory without needed to dig into the generated image. printf "%s\n" "${INVENTORY_DATA}" >"${OUTPUT_DIR}/application-inventory.json" +# Install SBOM subpackages for each installed RPM (only for EROFS images) +if [[ "${EROFS_ROOT_PARTITION}" == "yes" ]]; then + SBOM_RPMS=() + while IFS= read -r rpm_name; do + sbom_rpm="${rpm_name}-sbom" + if rpm -q --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1; then + SBOM_RPMS+=("${sbom_rpm}") + else + # Check if SBOM package file exists in local packages or external kits + sbom_file=$(find "${PACKAGE_DIR}" -maxdepth 1 -name "${sbom_rpm}*.rpm" -print -quit) + if [[ -z "${sbom_file}" && -n "${EXTERNAL_KITS_PATH}" ]]; then + sbom_file=$(find "${EXTERNAL_KITS_PATH}" -name "${sbom_rpm}*.rpm" -print -quit) + fi + if [[ -n "${sbom_file}" ]]; then + if rpm -iv --ignorearch --root "${ROOT_MOUNT}" "${sbom_file}" >/dev/null 2>&1; then + SBOM_RPMS+=("${sbom_rpm}") + fi + fi + fi + done < <(rpm -qa --root "${ROOT_MOUNT}" --queryformat "%{NAME}\n") + + # Merge SBOMs into a single json file + KIT_SBOMS_DIR="${ROOT_MOUNT}/usr/share/sboms" + if [ -d "${KIT_SBOMS_DIR}" ]; then + IMAGE_SBOM_DIR="${ROOT_MOUNT}/usr/share/bottlerocket" + mkdir -p "${IMAGE_SBOM_DIR}" + for format in "spdx" "cyclonedx"; do + image_sbom="${format}-sbom.json" + image_sbom_path="${IMAGE_SBOM_DIR}/${image_sbom}" + find "${KIT_SBOMS_DIR}" -name "*-${format}.json" -type f -exec sbomtool merge --output "${image_sbom_path}" {} \+ + + # Write the inventory to a file in the local build output directory + cp "${image_sbom_path}" "${OUTPUT_DIR}/${image_sbom}" + done + # Clean up old SBOM packages + rm -rf "${KIT_SBOMS_DIR}" + fi + + # Uninstall SBOM subpackages + for sbom_rpm in "${SBOM_RPMS[@]}"; do + rpm -e --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1 || true + done +fi + # Regenerate module dependencies, if possible. KMOD_DIR="${ROOT_MOUNT}/lib/modules" # First decompress the kernel modules, so they can be recompressed by EROFS.