Skip to content

Commit

Permalink
fix: make the spdx output more complete
Browse files Browse the repository at this point in the history
sha1 checksums are commonly checked by existing scanners/tools.
Some of the fields are not set, so set them.

Signed-off-by: Ramkumar Chinchani <[email protected]>
  • Loading branch information
rchincha committed Jan 17, 2024
1 parent aff21a6 commit 783f126
Show file tree
Hide file tree
Showing 4 changed files with 129 additions and 41 deletions.
51 changes: 38 additions & 13 deletions pkg/distro/apk/apk.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"archive/tar"
"bufio"
"compress/gzip"
"crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field
"crypto/sha256"
"encoding/base64"
"encoding/hex"
Expand Down Expand Up @@ -93,6 +94,7 @@ func ParsePackage(input, output, author, organization, license string) error {
}{
Person: apk.PkgInfo.PkgMaintainer,
},
FilesAnalyzed: true,
LicenseDeclared: pkglicense,
}

Expand Down Expand Up @@ -151,18 +153,23 @@ func ParsePackage(input, output, author, organization, license string) error {
}
}

cksum := sha256.Sum256(buf)
cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
cksumSHA256 := sha256.Sum256(buf)

log.Info().Str("name", hdr.Name).
Int("size", bufsz).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksum[:]))).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
Msg("file entry detected")

sfile := &spdx.File{
Entity: spdx.Entity{
Name: fmt.Sprintf("/%s", hdr.Name),
Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum[:])},
Name: fmt.Sprintf("/%s", hdr.Name),
Checksum: map[string]string{
"SHA1": hex.EncodeToString(cksumSHA1[:]),
"SHA256": hex.EncodeToString(cksumSHA256[:]),
},
},
LicenseInfoInFile: license,
}
if err := spkg.AddFile(sfile); err != nil {
log.Error().Err(err).Msg("unable to add file to package")
Expand Down Expand Up @@ -192,11 +199,12 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error
}{
Person: pkg.PackageMaintainer,
},
FilesAnalyzed: true,
LicenseDeclared: pkg.PackageLicense,
}

for _, file := range files {
sinfo, err := os.Stat(file)
info, err := os.Stat(file)
if err != nil {
if errors.Is(err, os.ErrNotExist) {
continue
Expand All @@ -205,8 +213,8 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error
return err
}

if !sinfo.Mode().IsRegular() {
log.Warn().Str("file", file).Interface("mode", sinfo.Mode()).Msg("skipping entry since not a regular file")
if !info.Mode().IsRegular() {
log.Warn().Str("file", file).Interface("mode", info.Mode()).Msg("skipping entry since not a regular file")

continue
}
Expand All @@ -217,18 +225,35 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error
}
defer fhandle.Close()

shaWriter := sha256.New()
if _, err := io.Copy(shaWriter, fhandle); err != nil {
return err
buf := make([]byte, info.Size())

var bufsz int

if bufsz, err = fhandle.Read(buf); err != nil {
if !errors.Is(err, io.EOF) {
log.Error().Err(err).Str("name", info.Name()).Msg("unable to read content")

return err
}
}

cksum := shaWriter.Sum(nil)
cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
cksumSHA256 := sha256.Sum256(buf)

log.Info().Str("name", info.Name()).
Int("size", bufsz).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
Msg("file entry detected")

sfile := spdx.NewFile()
sfile.LicenseInfoInFile = "unknown"
sfile.SetEntity(
&spdx.Entity{
Name: file,
Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)},
Name: file,
Checksum: map[string]string{
"SHA1": hex.EncodeToString(cksumSHA1[:]),
"SHA256": hex.EncodeToString(cksumSHA256[:]),
},
},
)

Expand Down
45 changes: 35 additions & 10 deletions pkg/distro/deb/deb.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package deb
import (
"archive/tar"
"bufio"
"crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field
"encoding/hex"
"errors"
"fmt"
Expand Down Expand Up @@ -48,6 +49,7 @@ func ParsePackage(input, output, author, organization, license string) error {
}{
Person: debfile.Control.Maintainer,
},
FilesAnalyzed: true,
LicenseDeclared: license,
}

Expand Down Expand Up @@ -87,18 +89,23 @@ func ParsePackage(input, output, author, organization, license string) error {
}
}

cksum := sha256.Sum256(buf)
cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
cksumSHA256 := sha256.Sum256(buf)

log.Info().Str("name", hdr.Name).
Int("size", bufsz).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksum[:]))).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
Msg("file entry detected")

sfile := &spdx.File{
Entity: spdx.Entity{
Name: hdr.Name[1:],
Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum[:])},
Name: hdr.Name[1:],
Checksum: map[string]string{
"SHA1": hex.EncodeToString(cksumSHA1[:]),
"SHA256": hex.EncodeToString(cksumSHA256[:]),
},
},
LicenseInfoInFile: license,
}
if err := spkg.AddFile(sfile); err != nil {
log.Error().Err(err).Msg("unable to add file to package")
Expand Down Expand Up @@ -277,6 +284,7 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error {
}{
Person: pkg.Maintainer,
},
FilesAnalyzed: true,
LicenseDeclared: "unknown",
}

Expand Down Expand Up @@ -309,18 +317,35 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error {
}
defer fhandle.Close()

shaWriter := sha256.New()
if _, err := io.Copy(shaWriter, fhandle); err != nil {
return err
buf := make([]byte, info.Size())

var bufsz int

if bufsz, err = fhandle.Read(buf); err != nil {
if !errors.Is(err, io.EOF) {
log.Error().Err(err).Str("name", info.Name()).Msg("unable to read content")

return err
}
}

cksum := shaWriter.Sum(nil)
cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
cksumSHA256 := sha256.Sum256(buf)

log.Info().Str("name", info.Name()).
Int("size", bufsz).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
Msg("file entry detected")

sfile := spdx.NewFile()
sfile.LicenseInfoInFile = "unknown"
sfile.SetEntity(
&spdx.Entity{
Name: line,
Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)},
Name: line,
Checksum: map[string]string{
"SHA1": hex.EncodeToString(cksumSHA1[:]),
"SHA256": hex.EncodeToString(cksumSHA256[:]),
},
},
)

Expand Down
62 changes: 50 additions & 12 deletions pkg/distro/rpm/rpm.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
package rpm

import (
"crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field
"crypto/sha256"
"encoding/hex"
"errors"
"fmt"
"io"
"os"
Expand Down Expand Up @@ -87,6 +89,7 @@ func ParsePackage(input, output, author, organization, license string) error {
}{
Organization: vendor[0],
},
FilesAnalyzed: true,
LicenseDeclared: pkglicense,
}

Expand Down Expand Up @@ -119,18 +122,35 @@ func ParsePackage(input, output, author, organization, license string) error {
}
defer fhandle.Close()

shaWriter := sha256.New()
if _, err := io.Copy(shaWriter, fhandle); err != nil {
return err
buf := make([]byte, info.Size())

var bufsz int

if bufsz, err = fhandle.Read(buf); err != nil {
if !errors.Is(err, io.EOF) {
log.Error().Err(err).Str("name", finfo.Name()).Msg("unable to read content")

return err
}
}

cksum := shaWriter.Sum(nil)
cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
cksumSHA256 := sha256.Sum256(buf)

log.Info().Str("name", info.Name()).
Int("size", bufsz).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
Msg("file entry detected")

sfile := spdx.NewFile()
sfile.LicenseInfoInFile = pkglicense
sfile.SetEntity(
&spdx.Entity{
Name: finfo.Name(),
Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)},
Name: finfo.Name(),
Checksum: map[string]string{
"SHA1": hex.EncodeToString(cksumSHA1[:]),
"SHA256": hex.EncodeToString(cksumSHA256[:]),
},
},
)

Expand Down Expand Up @@ -162,6 +182,7 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error {
}{
Person: pkg.Vendor,
},
FilesAnalyzed: true,
LicenseDeclared: pkg.License,
}

Expand Down Expand Up @@ -190,18 +211,35 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error {
}
defer fhandle.Close()

shaWriter := sha256.New()
if _, err := io.Copy(shaWriter, fhandle); err != nil {
return err
buf := make([]byte, info.Size())

var bufsz int

if bufsz, err = fhandle.Read(buf); err != nil {
if !errors.Is(err, io.EOF) {
log.Error().Err(err).Str("name", info.Name()).Msg("unable to read content")

return err
}
}

cksum := shaWriter.Sum(nil)
cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
cksumSHA256 := sha256.Sum256(buf)

log.Info().Str("name", info.Name()).
Int("size", bufsz).
Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
Msg("file entry detected")

sfile := spdx.NewFile()
sfile.LicenseInfoInFile = "unknown"
sfile.SetEntity(
&spdx.Entity{
Name: ifile.Path,
Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)},
Name: ifile.Path,
Checksum: map[string]string{
"SHA1": hex.EncodeToString(cksumSHA1[:]),
"SHA256": hex.EncodeToString(cksumSHA256[:]),
},
},
)

Expand Down
12 changes: 6 additions & 6 deletions test/bom.bats
Original file line number Diff line number Diff line change
Expand Up @@ -12,20 +12,20 @@ function teardown() {

@test "bom workflow" {
# inventory
docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i ubuntu:latest /opt/bin/stacker-bom-linux-amd64 inventory -x /proc,/sys,/dev,/tmp,/opt,/var/lib/dpkg/info,/var/log,/var/cache,/var/lib/systemd,/var/lib/dpkg,/var/lib/apt,/var/lib/pam,/var/lib/shells.state,/.dockerenv,/usr/share/info,/usr/sbin/policy-rc.d,/etc,/run,/root,/usr/bin/man,/usr/local/sbin/unminimize,/usr/sbin/initctl,/stacker-artifacts -o /stacker-artifacts/inventory.json
docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i ubuntu:jammy /opt/bin/stacker-bom-linux-amd64 inventory -x /proc,/sys,/dev,/tmp,/opt,/var/lib/dpkg/info,/var/log,/var/cache,/var/lib/systemd,/var/lib/dpkg,/var/lib/apt,/var/lib/pam,/var/lib/shells.state,/.dockerenv,/usr/share/info,/usr/sbin/policy-rc.d,/etc,/run,/root,/usr/bin/man,/usr/local/sbin/unminimize,/usr/sbin/initctl,/stacker-artifacts -o /stacker-artifacts/inventory.json
[ -f ${BOMD}/inventory.json ]
# discover installed packages
docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i ubuntu:latest /opt/bin/stacker-bom-linux-amd64 discover -o /stacker-artifacts/discover.json
docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i ubuntu:jammy /opt/bin/stacker-bom-linux-amd64 discover -o /stacker-artifacts/discover.json
[ -f ${BOMD}/discover.json ]
# verify against inventory
${TOPDIR}/bin/stacker-bom-linux-amd64 verify -i ${BOMD}/discover.json -t ${BOMD}/inventory.json -m ${BOMD}/missing.json
[ ! -f ${BOMD}/missing.json ]
# push the image
skopeo copy --format=oci --dest-tls-verify=false docker://ubuntu:latest docker://${ZOT_HOST}:${ZOT_PORT}/ubuntu:latest
skopeo copy --format=oci --dest-tls-verify=false docker://ubuntu:jammy docker://${ZOT_HOST}:${ZOT_PORT}/ubuntu:jammy
# validate the sbom
bom document outline ${BOMD}/discover.json
# attach bom artifacts as references
regctl artifact put --artifact-type application/vnd.stacker-bom.inventory -f ${BOMD}/inventory.json --subject ${ZOT_HOST}:${ZOT_PORT}/ubuntu:latest
regctl artifact put --artifact-type application/org.spdx+json -f ${BOMD}/discover.json --subject ${ZOT_HOST}:${ZOT_PORT}/ubuntu:latest
regctl artifact tree ${ZOT_HOST}:${ZOT_PORT}/ubuntu:latest
regctl artifact put --artifact-type application/vnd.stacker-bom.inventory -f ${BOMD}/inventory.json --subject ${ZOT_HOST}:${ZOT_PORT}/ubuntu:jammy
regctl artifact put --artifact-type application/org.spdx+json -f ${BOMD}/discover.json --subject ${ZOT_HOST}:${ZOT_PORT}/ubuntu:jammy
regctl artifact tree ${ZOT_HOST}:${ZOT_PORT}/ubuntu:jammy
}

0 comments on commit 783f126

Please sign in to comment.