mirror of
https://git.jami.net/savoirfairelinux/jami-daemon.git
synced 2025-08-12 22:09:25 +08:00
sbom: add a cyclonedx generation for make rules
Using `make cyclonedx` will generate a CycloneDX SBOM for the project. This include only basic informations about components and dependencies. GitLab: #1021 Change-Id: I5443de18abd0e2f584f0c600df15ff6c3cdf55fa
This commit is contained in:
Louis Maillard
committed by
Adrien Béraud
Adrien Béraud
parent
7220a71ce0
commit
6d98bac2e8
@ -311,6 +311,7 @@ Other targets:
|
||||
* make mostlyclean clean everything except source tarballs
|
||||
* make clean clean everything
|
||||
* make package prepare prebuilt packages
|
||||
* make cyclonedx generate a CycloneDX SBOM file
|
||||
EOF
|
||||
|
||||
mkdir -p ../tarballs || exit $?
|
||||
|
||||
85
contrib/src/cyclonedx.sh
Executable file
85
contrib/src/cyclonedx.sh
Executable file
@ -0,0 +1,85 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Take as input a list of CPE id (string), parse them and output a minimal CycloneDX SBOM file in JSON format
|
||||
#
|
||||
# Copyright (C) 2024 Savoir-faire Linux, Inc.
|
||||
|
||||
set -euo pipefail # Enable error checking
|
||||
|
||||
|
||||
function main() {
|
||||
local list_cpe=$1
|
||||
local output="common-jami-daemon.cdx.json"
|
||||
|
||||
cat <<EOF > $output
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.5",
|
||||
"serialNumber": "urn:uuid:$(uuidgen)",
|
||||
"version": 1,
|
||||
"metadata": {
|
||||
"timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
|
||||
},
|
||||
"components": [
|
||||
EOF
|
||||
|
||||
local already_done=()
|
||||
local components_writed=0
|
||||
|
||||
for cpe in $list_cpe; do
|
||||
# Skip duplicates
|
||||
# shellcheck disable=SC2076 # CPE is not a regex
|
||||
if [[ " ${already_done[*]} " =~ " ${cpe} " ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
# Split CPE v2.3 string to extract vendor, product, and version
|
||||
IFS=':' read -r -a cpe_parts <<< "$cpe"
|
||||
# Assuming standard CPE v2.3 format: cpe:2.3:a:vendor:product:version:...
|
||||
vendor="${cpe_parts[3]}"
|
||||
product="${cpe_parts[4]}"
|
||||
version="${cpe_parts[5]}"
|
||||
|
||||
case "${cpe_parts[2]}" in
|
||||
o)
|
||||
kind="operating-system"
|
||||
;;
|
||||
h)
|
||||
kind="device"
|
||||
;;
|
||||
*)
|
||||
kind="library"
|
||||
;;
|
||||
esac
|
||||
|
||||
if (( components_writed >= 1 )); then
|
||||
echo " }," >> $output
|
||||
fi
|
||||
|
||||
cat <<EOF >> $output
|
||||
{
|
||||
"type": "$kind",
|
||||
"bom-ref": "$cpe",
|
||||
"publisher": "$vendor",
|
||||
"name": "$product",
|
||||
"version": "$version",
|
||||
"cpe": "$cpe"
|
||||
EOF
|
||||
|
||||
already_done+=("$cpe")
|
||||
components_writed=$((components_writed + 1))
|
||||
done
|
||||
|
||||
if (( components_writed >= 1 )); then
|
||||
echo " }" >> $output
|
||||
fi
|
||||
|
||||
cat <<EOF >> $output
|
||||
]
|
||||
}
|
||||
EOF
|
||||
|
||||
echo "CycloneDX SBOM file generated: $output (contains $components_writed components)"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
@ -506,6 +506,9 @@ package: install
|
||||
|
||||
pprint = @echo ' $(or $(sort $1), None)' | fmt
|
||||
|
||||
cyclonedx:
|
||||
@$(SRC)/cyclonedx.sh "$(PKG_CPE)"
|
||||
|
||||
list:
|
||||
@echo All packages:
|
||||
$(call pprint,$(PKGS_ALL))
|
||||
|
||||
Reference in New Issue
Block a user