build: generate per-image SBOMs (CycloneDX 1.6 + SPDX 2.3)#1133
Open
bhouse-nexthop wants to merge 1 commit into
Open
build: generate per-image SBOMs (CycloneDX 1.6 + SPDX 2.3)#1133bhouse-nexthop wants to merge 1 commit into
bhouse-nexthop wants to merge 1 commit into
Conversation
Emit a Software Bill of Materials alongside every image describing the third-party software compiled from source and installed into that machine's rootfs/initramfs, plus the boot/runtime components (kernel, uClibc-ng, GCC runtime, bootloader). scripts/gen-sbom.py is machine-agnostic: it introspects the build system (make --eval) to enumerate the enabled SYSROOTDIR-installing fragments and their final versions/tarballs/source URLs, pins each by sha256, records applied patches as CycloneDX pedigree, and detects licenses from the already-extracted sources via askalono (with deterministic overrides in conf/sbom/license-overrides.json for genuinely multi-license or hard-to-detect components). CycloneDX 1.6 is the source of truth; SPDX 2.3 is produced from it via cyclonedx-cli (run in invariant-globalization mode so it needs no ICU package). make/sbom.make wires `make MACHINE=<m> sbom` and folds the SBOM into `all`, so it is always produced. The required tools (askalono, cyclonedx-cli, and grype for the vulnerability scan) are pinned + sha256-verified by scripts/install-sbom-tools.sh; when they are not already on PATH the build provisions them into a writable build-local prefix (build/sbom-tools/bin) without root, so a full-fidelity SBOM is produced in any environment. If provisioning fails (e.g. no network) the generator degrades gracefully to a CycloneDX-only, NOASSERTION SBOM. scripts/sbom-vuln-scan.py scans the SBOM with grype, suppresses CVEs already fixed by ONIE patches via OpenVEX, and renders a Markdown table (report only -- always exits 0). The CI workflow runs `make sbom-vuln-scan` after the build and publishes the table to the job log and the run summary. README.sbom documents the feature. Signed-off-by: Brad House <bhouse@nexthop.ai>
a6238fc to
7c5de1a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Targets
onie-modernization-2026. Independent — not stacked on any other modernization PR. It depends only on the CI workflow already present ononie-modernization-2026(from #1114), applies cleanly, and itsgen-sbom.py/sbom-vuln-scan.pyrun underpython3directly (they need python3 on the build host, not the ONIE python2→python3 port).What this does
Adds a per-image SBOM subsystem:
scripts/gen-sbom.py— machine-agnostic; introspectsmake --evalfor the enabled source-built fragments (plus boot/runtime: kernel, uClibc-ng, GCC runtime, shim, u-boot) and emits CycloneDX 1.6 (source of truth) → SPDX 2.3. Each component hash is computed from the actual downloaded tarball.make/sbom.make— wiresmake MACHINE=<m> sbom, folded intoall.scripts/install-sbom-tools.sh— pins (with checksums) and self-provisions askalono / cyclonedx-cli / grype intobuild/sbom-tools/bin(no root; degrades gracefully offline).scripts/sbom-vuln-scan.py— grype + OpenVEX (patch-mined CVEs) → Markdown table; CI runsmake sbom-vuln-scanpost-build and appends it to the run summary (non-gating).conf/sbom/{cpe,license}-overrides.json,README.sbom, and a smallbuild-onie.ymlstep.Independence note
The SBOM hashing is deliberately independent of the sha1→sha512 checksum PR (#1132):
gen-sbom.pyhashes the downloaded tarball in$(DOWNLOADDIR)directly, notupstream/*.sha*.Testing
Validated in the prior stack (CI-green: builds the SBOM and appends the vuln table to the run summary).