From 2269c43eee491b8c7a60042e0ce5e910f7870104 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 3 Dec 2024 10:23:58 +0000 Subject: [PATCH 1/9] XML SBOM Signed-off-by: Andrew Leonard --- sbin/build.sh | 107 +++++++++++++++++++++++++------------------------- 1 file changed, 54 insertions(+), 53 deletions(-) diff --git a/sbin/build.sh b/sbin/build.sh index 14c8ffbac..bb956218c 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -928,14 +928,15 @@ getCyclonedxClasspath() { local CYCLONEDB_JAR_DIR="${CYCLONEDB_DIR}/build/jar" - local classpath="${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar:${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar:${CYCLONEDB_JAR_DIR}/jackson-core.jar:${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar:${CYCLONEDB_JAR_DIR}/jackson-databind.jar:${CYCLONEDB_JAR_DIR}/jackson-annotations.jar:${CYCLONEDB_JAR_DIR}/json-schema-validator.jar:${CYCLONEDB_JAR_DIR}/commons-codec.jar:${CYCLONEDB_JAR_DIR}/commons-io.jar:${CYCLONEDB_JAR_DIR}/github-package-url.jar:${CYCLONEDB_JAR_DIR}/commons-collections4.jar" + local classpath="${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar:${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar:${CYCLONEDB_JAR_DIR}/jackson-core.jar:${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar:${CYCLONEDB_JAR_DIR}/jackson-databind.jar:${CYCLONEDB_JAR_DIR}/jackson-annotations.jar:${CYCLONEDB_JAR_DIR}/json-schema-validator.jar:${CYCLONEDB_JAR_DIR}/commons-codec.jar:${CYCLONEDB_JAR_DIR}/commons-io.jar:${CYCLONEDB_JAR_DIR}/github-package-url.jar:${CYCLONEDB_JAR_DIR}/commons-collections4.jar:${CYCLONEDB_JAR_DIR}/stax2-api.jar:${CYCLONEDB_JAR_DIR}/woodstox-core.jar:${CYCLONEDB_JAR_DIR}/commons-lang3.jar" if [[ "$OSTYPE" == "cygwin" ]] || [[ "$OSTYPE" == "msys" ]]; then classpath="" for jarfile in "${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar" "${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar" \ "${CYCLONEDB_JAR_DIR}/jackson-core.jar" "${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar" \ "${CYCLONEDB_JAR_DIR}/jackson-databind.jar" "${CYCLONEDB_JAR_DIR}/jackson-annotations.jar" \ "${CYCLONEDB_JAR_DIR}/json-schema-validator.jar" "${CYCLONEDB_JAR_DIR}/commons-codec.jar" "${CYCLONEDB_JAR_DIR}/commons-io.jar" \ - "${CYCLONEDB_JAR_DIR}/github-package-url.jar" "${CYCLONEDB_JAR_DIR}/commons-collections4.jar"; + "${CYCLONEDB_JAR_DIR}/github-package-url.jar" "${CYCLONEDB_JAR_DIR}/commons-collections4.jar" \ + "${CYCLONEDB_JAR_DIR}/stax2-api.jar" "${CYCLONEDB_JAR_DIR}/woodstox-core.jar" "${CYCLONEDB_JAR_DIR}/commons-lang3.jar"; do classpath+=$(cygpath -w "${jarfile}")";" done @@ -964,46 +965,46 @@ generateSBoM() { local sbomTargetName=$(getTargetFileNameForComponent "sbom") # Remove the tarball / zip extension from the name to be used for the SBOM if [[ "$OSTYPE" == "cygwin" ]] || [[ "$OSTYPE" == "msys" ]]; then - sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.zip//") + sbomTargetName=$(echo "${sbomTargetName}.xml" | sed "s/\.zip//") else - sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.tar\.gz//") + sbomTargetName=$(echo "${sbomTargetName}.xml" | sed "s/\.tar\.gz//") fi - local sbomJson="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})" - echo "OpenJDK SBOM will be ${sbomJson}." + local sbomXml="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})" + echo "OpenJDK SBOM will be ${sbomXml}." - # Clean any old json - rm -f "${sbomJson}" + # Clean any old xml + rm -f "${sbomXml}" local fullVer=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersion.txt") local fullVerOutput=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersionOutput.txt") - # Create initial SBOM json - createSBOMFile "${javaHome}" "${classpath}" "${sbomJson}" + # Create initial SBOM xml + createSBOMFile "${javaHome}" "${classpath}" "${sbomXml}" # Set default SBOM metadata - addSBOMMetadata "${javaHome}" "${classpath}" "${sbomJson}" + addSBOMMetadata "${javaHome}" "${classpath}" "${sbomXml}" # Create component to metadata in SBOM - addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomJson}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components" + addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomXml}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components" # Below add property to metadata # Add OS full version (Kernel is covered in the first field) - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}" # TODO: Replace this "if" with its predecessor (commented out below) once # OS_ARCHITECTURE has been replaced by the new target architecture variable. # This is because OS_ARCHITECTURE is currently the build arch, not the target arch, # and that confuses things when cross-compiling an x64 mac build on arm mac. - # addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" + # addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" if [[ "${BUILD_CONFIG[TARGET_FILE_NAME]}" =~ .*_x64_.* ]]; then - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "x86_64" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS architecture" "x86_64" else - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" fi # Set default SBOM formulation - addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" - addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" - addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" + addSBOMFormulation "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar SHAs" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar versions" # Below add build tools into metadata tools if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then @@ -1030,7 +1031,7 @@ generateSBoM() { # Add FreeMarker 3rd party (openj9) local freemarker_version="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} 'metadata/dependency_version_freemarker.txt')" if [ -f "${freemarker_version}" ]; then - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeMarker" "$(cat ${freemarker_version})" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "FreeMarker" "$(cat ${freemarker_version})" fi # Add CycloneDX versions addCycloneDXVersions @@ -1039,10 +1040,10 @@ generateSBoM() { local buildimagesha=$(cat ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/docker.txt) # ${BUILD_CONFIG[CONTAINER_COMMAND]^} always set to false cannot rely on it. if [ -n "${buildimagesha}" ] && [ "${buildimagesha}" != "N.A" ]; then - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "true" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "Docker image SHA1" "${buildimagesha}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "Use Docker for build" "true" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "Docker image SHA1" "${buildimagesha}" else - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "false" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "Use Docker for build" "false" fi checkingToolSummary @@ -1079,41 +1080,41 @@ generateSBoM() { local sha=$(sha256File "${archiveFile}") # Create JDK Component - addSBOMComponent "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component" + addSBOMComponent "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component" # Add SHA256 hash for the component - addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${sha}" + addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "${sha}" # Below add different properties to JDK component # Add target archive name as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Filename" "${archiveName}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Filename" "${archiveName}" # Add variant as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}" # Add scmRef as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt" # Add OpenJDK source ref commit as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt" # Add buildRef as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" # Add jenkins job ID as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}" # Add jenkins builder (agent/machine name) as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}" # Add build timestamp - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}" # Add Tool Summary section from configure.txt - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt" # Add builtConfig JDK Component Property, load as Json string built_config=$(createConfigToJsonString) - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Config" "${built_config}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Build Config" "${built_config}" # Add full_version_output JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "full_version_output" "${fullVerOutput}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "full_version_output" "${fullVerOutput}" # Add makejdk_any_platform_args JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" # Add make_command_args JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt" done @@ -1158,11 +1159,11 @@ generateSBoM() { devkit_path=$(echo ${devkit_path} | sed 's,\./,,' | sed 's,//,/,') bootjdk_path=$(echo ${bootjdk_path} | sed 's,\./,,' | sed 's,//,/,') - bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomJson}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}" + bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomXml}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}" fi # Print SBOM location - echo "CycloneDX SBOM has been created in ${sbomJson}" + echo "CycloneDX SBOM has been created in ${sbomXml}" } # Generate build tools info into dependency file @@ -1233,7 +1234,7 @@ addFreeTypeVersionInfo() { version="${ver_major}.${ver_minor}.${ver_patch}" fi - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeType" "${version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "FreeType" "${version}" } # Determine and store CycloneDX SHAs that have been used to provide the SBOMs @@ -1249,12 +1250,12 @@ addCycloneDXVersions() { else JarSha=$(sha256sum "$JAR" | cut -d' ' -f1) fi - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" # Now the jar's SHA has been added, we add the version string. JarDepsFile="$(joinPath ${CYCLONEDB_DIR} dependency_data/dependency_data.properties)" JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2) if [ -n "${JarVersionString}" ]; then - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" elif [ "${JarName}" != "temurin-gen-sbom" ]; then echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar." fi @@ -1295,7 +1296,7 @@ addALSAVersion() { fi echo "Adding ALSA version to SBOM: ${ALSA_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "ALSA" "${ALSA_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "ALSA" "${ALSA_VERSION}" fi } @@ -1354,7 +1355,7 @@ addGLIBCforLinux() { # Get musl build ldd version local MUSL_VERSION="$(ldd --version 2>&1 | grep "Version" | tr -s " " | cut -d" " -f2)" echo "Adding MUSL version to SBOM: ${MUSL_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MUSL" "${MUSL_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MUSL" "${MUSL_VERSION}" else # Get GLIBC from configured build spec.gmk sysroot and features.h definitions local GLIBC_MAJOR=$(getHeaderPropertyUsingCompiler "features.h" "#define[ ]+__GLIBC__") @@ -1362,7 +1363,7 @@ addGLIBCforLinux() { local GLIBC_VERSION="${GLIBC_MAJOR}.${GLIBC_MINOR}" echo "Adding GLIBC version to SBOM: ${GLIBC_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GLIBC" "${GLIBC_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "GLIBC" "${GLIBC_VERSION}" fi } @@ -1372,7 +1373,7 @@ addGCC() { local gcc_version="$(sed -n '/^Tools summary:$/,$p' "${inputConfigFile}" | tr -s " " | grep "C Compiler: Version" | cut -d" " -f5)" echo "Adding GCC version to SBOM: ${gcc_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GCC" "${gcc_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "GCC" "${gcc_version}" } addCompilerWindows() { @@ -1392,13 +1393,13 @@ addCompilerWindows() { local msvs_cpp_version="$(grep -o -P '\* C\+\+ Compiler:\s+\K[^"]+' "${inputConfigFile}" | awk '{print $2}')" echo "Adding Windows Compiler versions to SBOM: ${msvs_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS Windows Compiler Version" "${msvs_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MSVS Windows Compiler Version" "${msvs_version}" echo "Adding Windows C Compiler version to SBOM: ${msvs_c_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C Compiler Version" "${msvs_c_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MSVS C Compiler Version" "${msvs_c_version}" echo "Adding Windows C++ Compiler version to SBOM: ${msvs_cpp_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C++ Compiler Version" "${msvs_cpp_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MSVS C++ Compiler Version" "${msvs_cpp_version}" echo "Adding Windows SDK version to SBOM: ${ucrt_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MS Windows SDK Version" "${ucrt_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MS Windows SDK Version" "${ucrt_version}" } addCompilerMacOS() { @@ -1408,7 +1409,7 @@ addCompilerMacOS() { local macx_version="$(grep ".* Toolchain:" "${inputConfigFile}" | awk -F ':' '{print $2}' | sed -e 's/^[ \t]*//')" echo "Adding MacOS compiler version to SBOM: ${macx_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MacOS Compiler" "${macx_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MacOS Compiler" "${macx_version}" } addBootJDK() { @@ -1423,7 +1424,7 @@ addBootJDK() { local bootjdk="$("${bootjava}" -XshowSettings 2>&1 | grep "java\.runtime\.version" | tr -s " " | cut -d" " -f4 | sed "s/\"//g")" echo "Adding BOOTJDK to SBOM: ${bootjdk}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "BOOTJDK" "${bootjdk}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "BOOTJDK" "${bootjdk}" } getGradleJavaHome() { From 4473c0972a81552ba9227ae7eb951f8d152a6648 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 4 Dec 2024 16:24:53 +0000 Subject: [PATCH 2/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 184 +++++++++--------- .../src/temurin/sbom/TemurinGenCDXA.java | 17 +- .../src/temurin/sbom/TemurinGenSBOM.java | 66 +++++-- sbin/build.sh | 2 +- 4 files changed, 157 insertions(+), 112 deletions(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index f4e11f65c..d145a3a8a 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -204,7 +204,7 @@ - + @@ -224,7 +224,7 @@ - + @@ -251,8 +251,8 @@ - - + + @@ -263,7 +263,7 @@ - + @@ -275,7 +275,7 @@ - + @@ -283,7 +283,7 @@ - + @@ -295,7 +295,7 @@ - + @@ -307,7 +307,7 @@ - + @@ -319,7 +319,7 @@ - + @@ -331,7 +331,7 @@ - + @@ -339,7 +339,7 @@ - + @@ -351,7 +351,7 @@ - + @@ -363,7 +363,7 @@ - + @@ -373,7 +373,7 @@ - + @@ -385,7 +385,7 @@ - + @@ -397,7 +397,7 @@ - + @@ -407,7 +407,7 @@ - + @@ -419,7 +419,7 @@ - + @@ -427,7 +427,7 @@ - + @@ -439,7 +439,7 @@ - + @@ -451,7 +451,7 @@ - + @@ -461,7 +461,7 @@ - + @@ -473,7 +473,7 @@ - + @@ -481,7 +481,7 @@ - + @@ -493,39 +493,35 @@ - + - - - - - - - + + + - + - + - - - - - - - + + + + + - + - + - - - + + + + + - + @@ -533,7 +529,7 @@ - + @@ -543,7 +539,7 @@ - + @@ -559,7 +555,7 @@ - + @@ -567,7 +563,7 @@ - + @@ -579,7 +575,7 @@ - + @@ -591,7 +587,7 @@ - + @@ -603,7 +599,7 @@ - + @@ -615,7 +611,7 @@ - + @@ -623,7 +619,7 @@ - + @@ -635,7 +631,7 @@ - + @@ -647,7 +643,7 @@ - + @@ -657,7 +653,7 @@ - + @@ -669,7 +665,7 @@ - + @@ -681,7 +677,7 @@ - + @@ -691,7 +687,7 @@ - + @@ -703,7 +699,7 @@ - + @@ -711,7 +707,7 @@ - + @@ -723,7 +719,7 @@ - + @@ -735,7 +731,7 @@ - + @@ -745,7 +741,7 @@ - + @@ -757,7 +753,7 @@ - + @@ -765,7 +761,7 @@ - + @@ -777,39 +773,37 @@ - + - - - - - - - + + + - + - + + + - - - - - - - + + + + + - + - + - - - + + + + + - + @@ -817,7 +811,7 @@ - + @@ -827,7 +821,7 @@ - + diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java index a1f02c0f1..7cf3d17a9 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java @@ -102,7 +102,8 @@ public static void main(final String[] args) { } } - switch (cmd) { + try { + switch (cmd) { case "createCDXA": // Create a new CDXA json file Bom bom = createCdxa(fileName, attestingOrgName, predicate, targetName, targetUrl, targetHash, affirmationStmt, affirmationWebsite, thirdParty); if (bom != null) { @@ -113,8 +114,20 @@ public static void main(final String[] args) { break; default: - System.out.println("Please enter a command."); + // Echo input command: + for (int i = 0; i < args.length; i++) { + System.out.print(args[i] + " "); + } + System.out.println("\nPlease enter a valid command."); System.exit(1); + } + } catch(Exception e) { + // Echo input command: + for (int i = 0; i < args.length; i++) { + System.out.print(args[i] + " "); + } + System.out.println("\nException: "+e); + System.exit(1); } } diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java index 4533a9c37..496c1268d 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java @@ -23,6 +23,7 @@ import org.cyclonedx.model.formulation.Formula; import org.cyclonedx.model.Hash; import org.cyclonedx.model.Metadata; +import org.cyclonedx.model.metadata.ToolInformation; import org.cyclonedx.model.OrganizationalContact; import org.cyclonedx.model.OrganizationalEntity; import org.cyclonedx.model.Property; @@ -110,10 +111,6 @@ public static void main(final String[] args) { cmd = "addComponentHash"; } else if (args[i].equals("--addComponentProp")) { // Components --> Property: will add name-value. cmd = "addComponentProp"; - } else if (args[i].equals("--addExternalReference")) { - cmd = "addExternalReference"; - } else if (args[i].equals("--addComponentExtRef")) { - cmd = "addComponentExternalReference"; } else if (args[i].equals("--addMetadataTools")) { cmd = "addMetadataTools"; } else if (args[i].equals("--addFormulation")) { // Formulation Component. We can set "name" for Formulation. @@ -126,7 +123,8 @@ public static void main(final String[] args) { verbose = true; } } - switch (cmd) { + try { + switch (cmd) { case "createNewSBOM": // Creates new SBOM Bom bom = createBom(); writeFile(bom, fileName); @@ -182,7 +180,21 @@ public static void main(final String[] args) { break; default: - System.out.println("Please enter a command."); + // Echo input command: + for (int i = 0; i < args.length; i++) { + System.out.print(args[i] + " "); + } + System.out.println("\nPlease enter a valid command."); + System.exit(1); + } + } catch(Exception e) { + // Echo input command: + for (int i = 0; i < args.length; i++) { + System.out.print(args[i] + " "); + } + System.out.println("\nException: "+e); +e.printStackTrace(); + System.exit(1); } } @@ -196,10 +208,19 @@ static Bom createBom() { return bom; } + // Create Metadata if it doesn't exist + static Metadata getBomMetadata(Bom bom) { + Metadata metadata = bom.getMetadata(); + if (metadata == null) { + metadata = new Metadata(); + } + return metadata; + } + // Method to store Metadata --> name. static Bom addMetadata(final String fileName) { Bom bom = readFile(fileName); - Metadata meta = new Metadata(); + Metadata meta = getBomMetadata(bom); OrganizationalEntity org = new OrganizationalEntity(); org.setName("Eclipse Foundation"); org.setUrls(Collections.singletonList("https://www.eclipse.org/")); @@ -213,7 +234,7 @@ static Bom addMetadata(final String fileName) { static Bom addMetadataComponent(final String fileName, final String name, final String type, final String version, final String description) { Bom bom = readFile(fileName); - Metadata meta = new Metadata(); + Metadata meta = getBomMetadata(bom); Component comp = new Component(); Component.Type compType = Component.Type.FRAMEWORK; switch (type) { @@ -235,9 +256,8 @@ static Bom addMetadataComponent(final String fileName, final String name, final // Method to store Metadata --> Properties List --> name-values. static Bom addMetadataProperty(final String fileName, final String name, final String value) { Bom bom = readFile(fileName); - Metadata meta = new Metadata(); + Metadata meta = getBomMetadata(bom); Property prop1 = new Property(); - meta = bom.getMetadata(); prop1.setName(name); prop1.setValue(value); meta.addProperty(prop1); @@ -247,12 +267,30 @@ static Bom addMetadataProperty(final String fileName, final String name, final S static Bom addMetadataTools(final String fileName, final String toolName, final String version) { Bom bom = readFile(fileName); - Metadata meta = new Metadata(); - Tool tool = new Tool(); - meta = bom.getMetadata(); + Metadata meta = getBomMetadata(bom); + + // Create Tool Component + Component tool = new Component(); + tool.setType(Component.Type.APPLICATION); tool.setName(toolName); tool.setVersion(version); - meta.addTool(tool); + + // Create ToolInformation if not already + ToolInformation tools = meta.getToolChoice(); + if (tools == null) { + tools = new ToolInformation(); + } + + // Create new components array, add existing to it + List components = tools.getComponents(); + if (components == null) { + components = new LinkedList(); + } + + components.add(tool); + tools.setComponents(components); + meta.setToolChoice(tools); + bom.setMetadata(meta); return bom; } diff --git a/sbin/build.sh b/sbin/build.sh index bb956218c..9120e2121 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -1256,7 +1256,7 @@ addCycloneDXVersions() { JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2) if [ -n "${JarVersionString}" ]; then addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" - elif [ "${JarName}" != "temurin-gen-sbom" ]; then + elif [ "${JarName}" != "temurin-gen-sbom" ] && [ "${JarName}" != "temurin-gen-cdxa" ]; then echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar." fi done From fcdf28f5caef74197fd36c32e229db4ead401e86 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 4 Dec 2024 16:27:36 +0000 Subject: [PATCH 3/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index d145a3a8a..c15b6b929 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -793,16 +793,20 @@ + + + From 97f59a8326439de0924a15030abd0b1a0b89e96c Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 4 Dec 2024 16:39:20 +0000 Subject: [PATCH 4/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- sbin/build.sh | 102 +++++++++++++++++++++++++------------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/sbin/build.sh b/sbin/build.sh index 9120e2121..71f6dc4c0 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -965,46 +965,46 @@ generateSBoM() { local sbomTargetName=$(getTargetFileNameForComponent "sbom") # Remove the tarball / zip extension from the name to be used for the SBOM if [[ "$OSTYPE" == "cygwin" ]] || [[ "$OSTYPE" == "msys" ]]; then - sbomTargetName=$(echo "${sbomTargetName}.xml" | sed "s/\.zip//") + sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.zip//") else - sbomTargetName=$(echo "${sbomTargetName}.xml" | sed "s/\.tar\.gz//") + sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.tar\.gz//") fi - local sbomXml="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})" - echo "OpenJDK SBOM will be ${sbomXml}." + local sbomJson="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})" + echo "OpenJDK SBOM will be ${sbomJson}." - # Clean any old xml - rm -f "${sbomXml}" + # Clean any old json + rm -f "${sbomJson}" local fullVer=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersion.txt") local fullVerOutput=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersionOutput.txt") - # Create initial SBOM xml - createSBOMFile "${javaHome}" "${classpath}" "${sbomXml}" + # Create initial SBOMjson + createSBOMFile "${javaHome}" "${classpath}" "${sbomJson}" # Set default SBOM metadata - addSBOMMetadata "${javaHome}" "${classpath}" "${sbomXml}" + addSBOMMetadata "${javaHome}" "${classpath}" "${sbomJson}" # Create component to metadata in SBOM - addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomXml}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components" + addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomJson}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components" # Below add property to metadata # Add OS full version (Kernel is covered in the first field) - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}" # TODO: Replace this "if" with its predecessor (commented out below) once # OS_ARCHITECTURE has been replaced by the new target architecture variable. # This is because OS_ARCHITECTURE is currently the build arch, not the target arch, # and that confuses things when cross-compiling an x64 mac build on arm mac. - # addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" + # addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" if [[ "${BUILD_CONFIG[TARGET_FILE_NAME]}" =~ .*_x64_.* ]]; then - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS architecture" "x86_64" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "x86_64" else - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" fi # Set default SBOM formulation - addSBOMFormulation "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" - addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar SHAs" - addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar versions" + addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" # Below add build tools into metadata tools if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then @@ -1031,7 +1031,7 @@ generateSBoM() { # Add FreeMarker 3rd party (openj9) local freemarker_version="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} 'metadata/dependency_version_freemarker.txt')" if [ -f "${freemarker_version}" ]; then - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "FreeMarker" "$(cat ${freemarker_version})" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeMarker" "$(cat ${freemarker_version})" fi # Add CycloneDX versions addCycloneDXVersions @@ -1040,10 +1040,10 @@ generateSBoM() { local buildimagesha=$(cat ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/docker.txt) # ${BUILD_CONFIG[CONTAINER_COMMAND]^} always set to false cannot rely on it. if [ -n "${buildimagesha}" ] && [ "${buildimagesha}" != "N.A" ]; then - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "Use Docker for build" "true" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "Docker image SHA1" "${buildimagesha}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "true" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "Docker image SHA1" "${buildimagesha}" else - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXml}" "Use Docker for build" "false" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "false" fi checkingToolSummary @@ -1080,41 +1080,41 @@ generateSBoM() { local sha=$(sha256File "${archiveFile}") # Create JDK Component - addSBOMComponent "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component" + addSBOMComponent "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component" # Add SHA256 hash for the component - addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "${sha}" + addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${sha}" # Below add different properties to JDK component # Add target archive name as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Filename" "${archiveName}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Filename" "${archiveName}" # Add variant as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}" # Add scmRef as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt" # Add OpenJDK source ref commit as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt" # Add buildRef as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" # Add jenkins job ID as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}" # Add jenkins builder (agent/machine name) as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}" # Add build timestamp - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}" # Add Tool Summary section from configure.txt - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt" # Add builtConfig JDK Component Property, load as Json string built_config=$(createConfigToJsonString) - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "Build Config" "${built_config}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Config" "${built_config}" # Add full_version_output JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "full_version_output" "${fullVerOutput}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "full_version_output" "${fullVerOutput}" # Add makejdk_any_platform_args JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" # Add make_command_args JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXml}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt" done @@ -1159,11 +1159,11 @@ generateSBoM() { devkit_path=$(echo ${devkit_path} | sed 's,\./,,' | sed 's,//,/,') bootjdk_path=$(echo ${bootjdk_path} | sed 's,\./,,' | sed 's,//,/,') - bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomXml}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}" + bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomJson}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}" fi # Print SBOM location - echo "CycloneDX SBOM has been created in ${sbomXml}" + echo "CycloneDX SBOM has been created in ${sbomJson}" } # Generate build tools info into dependency file @@ -1234,7 +1234,7 @@ addFreeTypeVersionInfo() { version="${ver_major}.${ver_minor}.${ver_patch}" fi - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "FreeType" "${version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeType" "${version}" } # Determine and store CycloneDX SHAs that have been used to provide the SBOMs @@ -1250,12 +1250,12 @@ addCycloneDXVersions() { else JarSha=$(sha256sum "$JAR" | cut -d' ' -f1) fi - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" # Now the jar's SHA has been added, we add the version string. JarDepsFile="$(joinPath ${CYCLONEDB_DIR} dependency_data/dependency_data.properties)" JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2) if [ -n "${JarVersionString}" ]; then - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXml}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" elif [ "${JarName}" != "temurin-gen-sbom" ] && [ "${JarName}" != "temurin-gen-cdxa" ]; then echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar." fi @@ -1296,7 +1296,7 @@ addALSAVersion() { fi echo "Adding ALSA version to SBOM: ${ALSA_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "ALSA" "${ALSA_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "ALSA" "${ALSA_VERSION}" fi } @@ -1355,7 +1355,7 @@ addGLIBCforLinux() { # Get musl build ldd version local MUSL_VERSION="$(ldd --version 2>&1 | grep "Version" | tr -s " " | cut -d" " -f2)" echo "Adding MUSL version to SBOM: ${MUSL_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MUSL" "${MUSL_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MUSL" "${MUSL_VERSION}" else # Get GLIBC from configured build spec.gmk sysroot and features.h definitions local GLIBC_MAJOR=$(getHeaderPropertyUsingCompiler "features.h" "#define[ ]+__GLIBC__") @@ -1363,7 +1363,7 @@ addGLIBCforLinux() { local GLIBC_VERSION="${GLIBC_MAJOR}.${GLIBC_MINOR}" echo "Adding GLIBC version to SBOM: ${GLIBC_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "GLIBC" "${GLIBC_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GLIBC" "${GLIBC_VERSION}" fi } @@ -1373,7 +1373,7 @@ addGCC() { local gcc_version="$(sed -n '/^Tools summary:$/,$p' "${inputConfigFile}" | tr -s " " | grep "C Compiler: Version" | cut -d" " -f5)" echo "Adding GCC version to SBOM: ${gcc_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "GCC" "${gcc_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GCC" "${gcc_version}" } addCompilerWindows() { @@ -1393,13 +1393,13 @@ addCompilerWindows() { local msvs_cpp_version="$(grep -o -P '\* C\+\+ Compiler:\s+\K[^"]+' "${inputConfigFile}" | awk '{print $2}')" echo "Adding Windows Compiler versions to SBOM: ${msvs_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MSVS Windows Compiler Version" "${msvs_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS Windows Compiler Version" "${msvs_version}" echo "Adding Windows C Compiler version to SBOM: ${msvs_c_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MSVS C Compiler Version" "${msvs_c_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C Compiler Version" "${msvs_c_version}" echo "Adding Windows C++ Compiler version to SBOM: ${msvs_cpp_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MSVS C++ Compiler Version" "${msvs_cpp_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C++ Compiler Version" "${msvs_cpp_version}" echo "Adding Windows SDK version to SBOM: ${ucrt_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MS Windows SDK Version" "${ucrt_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MS Windows SDK Version" "${ucrt_version}" } addCompilerMacOS() { @@ -1409,7 +1409,7 @@ addCompilerMacOS() { local macx_version="$(grep ".* Toolchain:" "${inputConfigFile}" | awk -F ':' '{print $2}' | sed -e 's/^[ \t]*//')" echo "Adding MacOS compiler version to SBOM: ${macx_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "MacOS Compiler" "${macx_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MacOS Compiler" "${macx_version}" } addBootJDK() { @@ -1424,7 +1424,7 @@ addBootJDK() { local bootjdk="$("${bootjava}" -XshowSettings 2>&1 | grep "java\.runtime\.version" | tr -s " " | cut -d" " -f4 | sed "s/\"//g")" echo "Adding BOOTJDK to SBOM: ${bootjdk}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXml}" "BOOTJDK" "${bootjdk}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "BOOTJDK" "${bootjdk}" } getGradleJavaHome() { From 6d4adcef8a048d5d7172347ca663046d5f72fd90 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 4 Dec 2024 16:41:00 +0000 Subject: [PATCH 5/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- sbin/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/build.sh b/sbin/build.sh index 71f6dc4c0..643111371 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -979,7 +979,7 @@ generateSBoM() { local fullVer=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersion.txt") local fullVerOutput=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersionOutput.txt") - # Create initial SBOMjson + # Create initial SBOM json createSBOMFile "${javaHome}" "${classpath}" "${sbomJson}" # Set default SBOM metadata addSBOMMetadata "${javaHome}" "${classpath}" "${sbomJson}" From 863c453479a4be10fb07549e32ad60c6d3140632 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 4 Dec 2024 16:41:43 +0000 Subject: [PATCH 6/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java | 1 - 1 file changed, 1 deletion(-) diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java index 496c1268d..60515b7be 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java @@ -193,7 +193,6 @@ public static void main(final String[] args) { System.out.print(args[i] + " "); } System.out.println("\nException: "+e); -e.printStackTrace(); System.exit(1); } } From 3fba15e7cbe556d1552b50e1da81216b161866ae Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 09:07:54 +0000 Subject: [PATCH 7/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 1 - cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java | 4 ++-- cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java | 7 +++---- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index c15b6b929..1fbeb5ba4 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -251,7 +251,6 @@ - diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java index 7cf3d17a9..95a915235 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java @@ -121,12 +121,12 @@ public static void main(final String[] args) { System.out.println("\nPlease enter a valid command."); System.exit(1); } - } catch(Exception e) { + } catch (Exception e) { // Echo input command: for (int i = 0; i < args.length; i++) { System.out.print(args[i] + " "); } - System.out.println("\nException: "+e); + System.out.println("\nException: " + e); System.exit(1); } } diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java index 60515b7be..d22ae7ba0 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java @@ -27,7 +27,6 @@ import org.cyclonedx.model.OrganizationalContact; import org.cyclonedx.model.OrganizationalEntity; import org.cyclonedx.model.Property; -import org.cyclonedx.model.Tool; import org.cyclonedx.parsers.JsonParser; import org.cyclonedx.parsers.XmlParser; import org.cyclonedx.Version; @@ -187,12 +186,12 @@ public static void main(final String[] args) { System.out.println("\nPlease enter a valid command."); System.exit(1); } - } catch(Exception e) { + } catch (Exception e) { // Echo input command: for (int i = 0; i < args.length; i++) { System.out.print(args[i] + " "); } - System.out.println("\nException: "+e); + System.out.println("\nException: " + e); System.exit(1); } } @@ -208,7 +207,7 @@ static Bom createBom() { } // Create Metadata if it doesn't exist - static Metadata getBomMetadata(Bom bom) { + static Metadata getBomMetadata(final Bom bom) { Metadata metadata = bom.getMetadata(); if (metadata == null) { metadata = new Metadata(); From 1dbc0121698303eaf77ab9d67d3f6815044f63b6 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 09:43:51 +0000 Subject: [PATCH 8/9] Some fixes for TemurinGenSBOM and latest CDXA update Signed-off-by: Andrew Leonard --- tooling/validateSBOMcontent.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tooling/validateSBOMcontent.sh b/tooling/validateSBOMcontent.sh index 56e98c6f6..4aff3daa8 100755 --- a/tooling/validateSBOMcontent.sh +++ b/tooling/validateSBOMcontent.sh @@ -22,11 +22,11 @@ SBOMFILE="$1" MAJORVERSION="$2" #FULLVERSION="$3" -GLIBC=$(jq '.metadata.tools[] | select(.name|test("GLIBC")) | .version' "$1" | tr -d \") -GCC=$(jq '.metadata.tools[] | select(.name|test("GCC")) | .version' "$1" | tr -d \") -BOOTJDK=$(jq '.metadata.tools[] | select(.name|test("BOOTJDK")) | .version' "$1" | tr -d \") -ALSA=$(jq '.metadata.tools[] | select(.name|test("ALSA")) | .version' "$1" | tr -d \" | sed -e 's/^.*alsa-lib-//' -e 's/\.tar.bz2//') -FREETYPE=$(jq '.metadata.tools[] | select(.name|test("FreeType")) | .version' "$1" | tr -d \") +GLIBC=$(jq '.metadata.tools.components[] | select(.name|test("GLIBC")) | .version' "$1" | tr -d \") +GCC=$(jq '.metadata.tools.components[] | select(.name|test("GCC")) | .version' "$1" | tr -d \") +BOOTJDK=$(jq '.metadata.tools.components[] | select(.name|test("BOOTJDK")) | .version' "$1" | tr -d \") +ALSA=$(jq '.metadata.tools.components[] | select(.name|test("ALSA")) | .version' "$1" | tr -d \" | sed -e 's/^.*alsa-lib-//' -e 's/\.tar.bz2//') +FREETYPE=$(jq '.metadata.tools.components[] | select(.name|test("FreeType")) | .version' "$1" | tr -d \") COMPILER=$(jq '.components[0].properties[] | select(.name|test("Build Tools Summary")).value' "$SBOMFILE" | sed -e 's/^.*Toolchain: //g' -e 's/\ *\*.*//g') EXPECTED_COMPILER="gcc (GNU Compiler Collection)" From 5f617f828647f85b2166ef42d4f6c85563dbea9b Mon Sep 17 00:00:00 2001 From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com> Date: Thu, 5 Dec 2024 12:08:48 +0000 Subject: [PATCH 9/9] Update sbin/build.sh Co-authored-by: Stewart X Addison <6487691+sxa@users.noreply.github.com> --- sbin/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/build.sh b/sbin/build.sh index 643111371..286912749 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -979,7 +979,7 @@ generateSBoM() { local fullVer=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersion.txt") local fullVerOutput=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersionOutput.txt") - # Create initial SBOM json + # Create initial SBOM json createSBOMFile "${javaHome}" "${classpath}" "${sbomJson}" # Set default SBOM metadata addSBOMMetadata "${javaHome}" "${classpath}" "${sbomJson}"