[PATCH 2/2] merge_wic_sbom: fix name of initrd sbom file when merging

[Felix Moessbauer]

In merge_wic_sbom the rootfs, initrd and imager SBOM ar merged. However,
the initrd one was never included, as it was accessed by an incorrect
name.

As there is no common ancestor of the initramfs and image recipe, the name
of the initrd that is generated is only coincidally coupled with the one
that is imaged. By that, we need to derive the INITRAMFS_FULLNAME variable
(set in initramfs.bbclass) from the INITRD_DEPLOY_FILE variable which
points to the initrd that is imaged.

Fixes: 174dd3e4 ("wic: create uniform SBOM describing all image ...")
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/classes-recipe/imagetypes_wic.bbclass | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 5adea149..231fecde 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -212,10 +212,15 @@ EOIMAGER
merge_wic_sbom() {
BOMTYPE="$1"
TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+ # As there is no common ancestor of the initramfs and image recipe, the name of the
+ # initrd that is generated is only coincidally coupled with the one that is imaged.
+ # By that, we need to derive the INITRAMFS_FULLNAME variable (set in initramfs.bbclass)
+ # from the INITRD_DEPLOY_FILE variable which points to the initrd that is imaged.
+ INITRAMFS_FULLNAME="${@ d.getVar('INITRD_DEPLOY_FILE').removesuffix('-initrd.img') }"
sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"

cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
- ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.$BOMTYPE.json \
+ ${DEPLOY_DIR_IMAGE}/$INITRAMFS_FULLNAME.$BOMTYPE.json \
${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
bwrap \
--unshare-user \
--
2.53.0

[Felix Moessbauer]

The merge_wic_sbom function is called per SBOM type (spdx and cdx).
While the function takes the type as first parameter and assigns it to a
(local) variable, we previously used the parent variable to access the
value. We now clean up this inconsistency.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---

meta/classes-recipe/imagetypes_wic.bbclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 6b82add3..5adea149 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -214,9 +214,9 @@ merge_wic_sbom() {

TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})

sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"

- cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${bomtype}.json \
- ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.${bomtype}.json \
- ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+ cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
+ ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.$BOMTYPE.json \
+ ${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
bwrap \
--unshare-user \
--unshare-pid \
@@ -227,5 +227,5 @@ merge_wic_sbom() {
--cdx-serialnumber $sbom_document_uuid \
--spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
--timestamp $TIMESTAMP - -o - \
- > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
+ > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$BOMTYPE.json
}
--
2.53.0