SBOM
38 views
Skip to first unread message
George Kraft
Aug 9, 2022, 2:02:30 PM8/9/22
to kiwi
Has anyone tought about integrating the SPDX scancode and extractcode tools to build an SBOM during a Kiwi build? I've hacked it by creating a Makefile with a script to do it after the kiwi build.
Marcus Schäfer
Aug 23, 2022, 11:57:23 AM8/23/22
to kiwi-...@googlegroups.com
Hi,
sorry for the late response
> Has anyone tought about integrating the SPDX scancode and extractcode
> [1]tools to build an SBOM during a Kiwi build? I've hacked it by
helpful it is as part of an image build process using binary
packages e.g from rust and go builds ?
To answer your question I haven't looked into integration with
tools in this direction to be a part of the kiwi process. I
think from a process perspective it should be relatively straight
forward to integrate the kiwi responsibility to build me an
image with other pre/post processing jobs and I believe this
is what many people already do comparable to your Makefile
target.
You said "I've hacked it by creating a Makefile with a script
to do it after the kiwi build". I was wondering why you consider
it a hack ?
I have to admit that I don't have insights to the scancode-toolkit
but I assume in any action it will require access to the root of the
image. There is a hook in the kiwi process called pre_disk_sync.sh
which could also be used to run a code scan and also prevent creation
of the image in case of flaws found:
https://osinside.github.io/kiwi/concept_and_workflow/shell_scripts.html?highlight=pre_disk_sync.sh
It would require the tooling you need to be packaged though and
available as part of the image root. A short research on the install
instructions (https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html) did not offer any rpm,deb,etc... packages. I wondered
about that part as it seems python based and shouldn't be hard to
become packaged.
Assuming you have a package you could do the following:
<packages type="image">
<!-- install sanity checks -->
<package name="scancode-toolkit"/>
</packages>
<packages type="uninstall">
<!-- get rid of sanity checks -->
<package name="scancode-toolkit"/>
</packages>
And a script "pre_disk_sync.sh" which executes as you see fit.
Successful return from the script indicates "ok", else "not ok"
image build fails and the log should say something useful.
So I think we would have options to inject external tools
but they need to be packaged. We could also consider to host
the packages as part of the OBS projects which also hosts
kiwi and its plugin packages.
If you think this would be an acceptable way to go forward I can
summarize our conversation here into an issue on github. I have
to admit it requires help from the community to become effective
as my time is limited.
Thoughts ?
Regards,
Marcus
--
Public Key available via: https://keybase.io/marcus_schaefer/key.asc
keybase search marcus_schaefer
-------------------------------------------------------
Marcus Schäfer Brunnenweg 18
Tel: +49 7562 905437 D-88260 Argenbühl
Germany
-------------------------------------------------------
sorry for the late response
> Has anyone tought about integrating the SPDX scancode and extractcode
> creating a Makefile with a script to do it after the kiwi build.
This points into static code analysis right ? I was wondering how
helpful it is as part of an image build process using binary
packages e.g from rust and go builds ?
To answer your question I haven't looked into integration with
tools in this direction to be a part of the kiwi process. I
think from a process perspective it should be relatively straight
forward to integrate the kiwi responsibility to build me an
image with other pre/post processing jobs and I believe this
is what many people already do comparable to your Makefile
target.
You said "I've hacked it by creating a Makefile with a script
to do it after the kiwi build". I was wondering why you consider
it a hack ?
I have to admit that I don't have insights to the scancode-toolkit
but I assume in any action it will require access to the root of the
image. There is a hook in the kiwi process called pre_disk_sync.sh
which could also be used to run a code scan and also prevent creation
of the image in case of flaws found:
https://osinside.github.io/kiwi/concept_and_workflow/shell_scripts.html?highlight=pre_disk_sync.sh
It would require the tooling you need to be packaged though and
available as part of the image root. A short research on the install
instructions (https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html) did not offer any rpm,deb,etc... packages. I wondered
about that part as it seems python based and shouldn't be hard to
become packaged.
Assuming you have a package you could do the following:
<packages type="image">
<!-- install sanity checks -->
<package name="scancode-toolkit"/>
</packages>
<packages type="uninstall">
<!-- get rid of sanity checks -->
<package name="scancode-toolkit"/>
</packages>
And a script "pre_disk_sync.sh" which executes as you see fit.
Successful return from the script indicates "ok", else "not ok"
image build fails and the log should say something useful.
So I think we would have options to inject external tools
but they need to be packaged. We could also consider to host
the packages as part of the OBS projects which also hosts
kiwi and its plugin packages.
If you think this would be an acceptable way to go forward I can
summarize our conversation here into an issue on github. I have
to admit it requires help from the community to become effective
as my time is limited.
Thoughts ?
Regards,
Marcus
--
Public Key available via: https://keybase.io/marcus_schaefer/key.asc
keybase search marcus_schaefer
-------------------------------------------------------
Marcus Schäfer Brunnenweg 18
Tel: +49 7562 905437 D-88260 Argenbühl
Germany
-------------------------------------------------------
Reply all
Reply to author
Forward
0 new messages