SBOM and nits (#14)

* Address nits

* Eliminate unnecessaryt pushds and use run cmake install instead of ninja

* Generate SBOM with SDK dependencies

* Add example of command for building locally

Author: marcprux

swift-ci/sdks/android/README.md

@@ -81,5 +81,9 @@ perform the build locally on an Ubuntu 24.04 machine with all the
 build prerequisites already installed. This will generate
 the same artifacts in approximately half the time, and
 may be suitable to an already containerized envrionment (such as
-a GitHub runner).
+a GitHub runner). A local build can be run with the
+`build-local` script, such as:
 
+```
+./build-local swift-6.2-branch /tmp/android-sdk-devel
+```

swift-ci/sdks/android/scripts/build.sh

@@ -101,7 +101,7 @@ function declare_package
     packages+=(${name})
 }
 
-declare_package android_sdk \
+declare_package swift_android_sdk \
                 "Swift SDK for Android" \
                 "Apache-2.0" "https://swift.org/install"
 declare_package swift "swift" "Apache-2.0" "https://swift.org"
@@ -359,7 +359,6 @@ for arch in $archs; do
     groupend
 
     groupstart "Building libcurl for ${compiler_target_host}"
-    quiet_pushd ${swift_source_dir}/curl
         run cmake \
             -G Ninja \
             -S ${swift_source_dir}/curl \
@@ -393,9 +392,8 @@ for arch in $archs; do
 
         header "Installing libcurl for $arch"
         quiet_pushd ${build_dir}/$arch/curl
-            run ninja -j$parallel_jobs install
+            run cmake --install ${build_dir}/${arch}/curl
         quiet_popd
-    quiet_popd
     groupend
 
     groupstart "Building Android SDK for ${compiler_target_host}"
@@ -505,6 +503,96 @@ cat > info.json <<EOF
 }
 EOF
 
+spdx_uuid=$(uuidgen)
+spdx_doc_uuid=$(uuidgen)
+spdx_timestamp=$(date -Iseconds)
+
+# Now generate SPDX data
+cat > sbom.spdx.json <<EOF
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "SBOM-SPDX-${spdx_uuid}",
+  "spdxVersion": "SPDX-2.3",
+  "creationInfo": {
+    "created": "${spdx_timestamp}",
+    "creators": [
+      "Organization: Apple, Inc."
+    ]
+  },
+  "dataLicense": "Apache-2.0",
+  "documentNamespace": "urn:uuid:${spdx_doc_uuid}",
+  "documentDescribes": [
+    "SPDXRef-Package-swift-android-sdk"
+  ],
+  "packages": [
+EOF
+
+first=true
+for package in ${packages[@]}; do
+    if [[ "$first" == "true" ]]; then
+        first=false
+    else
+        cat >> sbom.spdx.json <<EOF
+    },
+EOF
+    fi
+
+    snake=${package}_snake; snake=${!snake}
+    version=${package}_version; version=${!version}
+    name=${package}_name; name=${!name}
+    license=${package}_license; license=${!license}
+    url=${package}_url; url=${!url}
+
+    cat >> sbom.spdx.json <<EOF
+    {
+      "SPDXID": "SPDXRef-Package-${snake}",
+      "name": "${name}",
+      "versionInfo": "${version}",
+      "filesAnalyzed": false,
+      "licenseDeclared": "${license}",
+      "licenseConcluded": "${license}",
+      "downloadLocation": "${url}",
+      "copyrightText": "NOASSERTION",
+      "checksums": []
+EOF
+done
+
+cat >> sbom.spdx.json <<EOF
+    }
+  ],
+  "relationships": [
+EOF
+
+first=true
+for package in ${packages[@]}; do
+    if [[ "$package" == "swift_android_sdk" ]]; then
+        continue
+    fi
+
+    if [[ "$first" == "true" ]]; then
+        first=false
+    else
+        cat >> sbom.spdx.json <<EOF
+    },
+EOF
+    fi
+
+    snake=${package}_snake; snake=${!snake}
+
+    cat >> sbom.spdx.json <<EOF
+    {
+      "spdxElementId": "SPDXRef-Package-swift-android-sdk",
+      "relationshipType": "GENERATED_FROM",
+      "relatedSpdxElement": "SPDXRef-Package-${snake}"
+EOF
+done
+
+cat >> sbom.spdx.json <<EOF
+    }
+  ]
+}
+EOF
+
 mkdir -p $sdk_base
 quiet_pushd $sdk_base
 

swift-ci/sdks/android/scripts/fetch-source.sh

@@ -149,4 +149,3 @@ pushd boringssl >/dev/null 2>&1
 git checkout ${BORINGSSL_VERSION}
 popd >/dev/null 2>&1
 groupend
-

swift-ci/sdks/android/scripts/install-swift.sh

@@ -51,4 +51,3 @@ tar -xzf toolchain.tar.gz --directory ${destination} --strip-components=2
 chmod -R o+r ${destination}/lib/swift
 
 popd >/dev/null
-