Skip to content

chore: merge SBOM packages and remove old SBOM's #583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore: merge SBOM packages and remove old SBOM's #583

wants to merge 1 commit into from

Conversation

@cezar-r
Copy link

@cezar-r cezar-r commented Sep 23, 2025
edited
Loading

Issue number: #584

Closes #584

Description of changes:
Use sbomtool to merge SBOM packages into a single file, for each spdx and cyclonedx formats. Remove all of the prior SBOM packages.

Testing done:

  • Built + published custom AMI and connected to it via Sessions Manager in EC2 console. Verified the host did not have a /usr/share/sboms directory but had a usr/share/bottlerocket/sbom/ directory with image-spdx.json and image-cyclonedx.json files.
bash-5.1# ls /usr/share/
audit/        brush/        eks/          i18n/         iproute2/     licenses/     logdog.d/     pci.ids       templates/    updog/        zoneinfo/
bottlerocket/ dbus-1/       factory/      info/         keyutils/     locale/       man/          storewolf/    terminfo/     xfsprogs/

bash-5.1# ls /usr/share/bottlerocket/sbom/
image-cyclonedx.json  image-spdx.json

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

ginglis13
ginglis13 reviewed Sep 24, 2025
View reviewed changes
bcressey
bcressey reviewed Oct 14, 2025
View reviewed changes
@cezar-r cezar-r requested review from bcressey and rpkelly October 30, 2025 18:18
@rpkelly
Copy link
Contributor

rpkelly commented Oct 30, 2025

nit: this seems less like a chore and more like a feature

bcressey
bcressey reviewed Dec 2, 2025
View reviewed changes
twoliter/embedded/rpm2img
Comment on lines +259 to +260
# Install SBOM subpackages for each installed RPM (only for EROFS images)
if [[ "${EROFS_ROOT_PARTITION}" == "yes" ]]; then
Copy link
Contributor

@bcressey bcressey Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This restriction doesn't make much sense as build system policy - "we will only produce SBOM artifacts if you're using EROFS".

Options:

  1. Drop it and do it unconditionally.
  2. Add a different image feature flag that's related to SBOM.
  3. Compress the SBOM files on disk, if that gives enough space?
  4. Emit the build artifacts always, and only add to the image if we're using EROFS?

Not sure which is best, assuming you can't just always include SBOM artifacts.

twoliter/embedded/rpm2img
Comment on lines +264 to +266
if rpm -q --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1; then
SBOM_RPMS+=("${sbom_rpm}")
else
Copy link
Contributor

@bcressey bcressey Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to handle the case where someone adds foo-sbom to their variant's package list, so we've installed it? That seems pretty weird.

twoliter/embedded/rpm2img
if [[ -n "${sbom_file}" ]]; then
if rpm -iv --ignorearch --root "${ROOT_MOUNT}" "${sbom_file}" >/dev/null 2>&1; then
SBOM_RPMS+=("${sbom_rpm}")
fi
Copy link
Contributor

@bcressey bcressey Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to fix your editor settings to not insert a mix of tabs/spaces. Please make sure this follows existing whitespace conventions.

twoliter/embedded/rpm2img
sbom_file=$(find "${EXTERNAL_KITS_PATH}" -name "${sbom_rpm}*.rpm" -print -quit)
fi
if [[ -n "${sbom_file}" ]]; then
if rpm -iv --ignorearch --root "${ROOT_MOUNT}" "${sbom_file}" >/dev/null 2>&1; then
Copy link
Contributor

@bcressey bcressey Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't install packages only to turn around and erase them. We can rpm -iv them into a separate directory, not the final root.

twoliter/embedded/rpm2img
Comment on lines +267 to +270
# Check if SBOM package file exists in local packages or external kits
sbom_file=$(find "${PACKAGE_DIR}" -maxdepth 1 -name "${sbom_rpm}*.rpm" -print -quit)
if [[ -z "${sbom_file}" && -n "${EXTERNAL_KITS_PATH}" ]]; then
sbom_file=$(find "${EXTERNAL_KITS_PATH}" -name "${sbom_rpm}*.rpm" -print -quit)
Copy link
Contributor

@bcressey bcressey Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems pretty hacky and I think we can do better:

  1. Add an "sbom" subpackage to metadata.spec.
  2. Have it Provides: %{_cross_os}image-metadata(sbom) (and Requires: %{name}).
  3. Copy rpmdb from ${ROOT_MOUNT} into new temp dir ${SBOM_MOUNT}.
  4. Install metadata-sbom into ${SBOM_MOUNT} via rpm -iv.
  5. For each of the RPM SBOM packages, add Supplements: (%{_cross_os}image-metadata(sbom) if %{name}).

That should give you a new temporary directory with only the SBOM files installed, which you can then concatenate together.

@bcressey bcressey mentioned this pull request Dec 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcressey bcressey bcressey left review comments

@rpkelly rpkelly rpkelly approved these changes

@ginglis13 ginglis13 ginglis13 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Merge SBOM packages

4 participants

@cezar-r @rpkelly @bcressey @ginglis13