Add org.osbuild.dnf4.sbom.spdx stage

Add a new stage, which allows analyzing the installed packages in a given filesystem tree using DNF4 API and generating an SPDX v2.3 SBOM document for it. One can provide the filesystem tree to be analyzed as a stage input. If no input is provided, the stage will analyze the filesystem tree of the current pipeline. Add tests cases for both usage variants of the stage, as well as the unit test for stage schema validation. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2024-07-02 17:49:44 +02:00 · 2024-07-02 17:49:44 +02:00 · ba70909975
commit ba70909975
parent 1d8bd0f8a6
13 changed files with 4556 additions and 0 deletions
--- a/test/data/stages/dnf4.sbom.spdx-input/a.json
+++ b/test/data/stages/dnf4.sbom.spdx-input/a.json
--- a/test/data/stages/dnf4.sbom.spdx-input/a.mpp.yaml
+++ b/test/data/stages/dnf4.sbom.spdx-input/a.mpp.yaml
@ -0,0 +1,28 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: os-tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - tmux
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.noop
--- a/test/data/stages/dnf4.sbom.spdx-input/b.json
+++ b/test/data/stages/dnf4.sbom.spdx-input/b.json
--- a/test/data/stages/dnf4.sbom.spdx-input/b.mpp.yaml
+++ b/test/data/stages/dnf4.sbom.spdx-input/b.mpp.yaml
@ -0,0 +1,37 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: os-tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - tmux
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.dnf4.sbom.spdx
+        inputs:
+          root-tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:os-tree
+        options:
+          config:
+            doc_path: "/image.spdx.json"
--- a/test/data/stages/dnf4.sbom.spdx-input/diff.json
+++ b/test/data/stages/dnf4.sbom.spdx-input/diff.json
@ -0,0 +1,7 @@
+{
+  "added_files": [
+    "/image.spdx.json"
+  ],
+  "deleted_files": [],
+  "differences": {}
+}
--- a/test/data/stages/dnf4.sbom.spdx/a.json
+++ b/test/data/stages/dnf4.sbom.spdx/a.json
--- a/test/data/stages/dnf4.sbom.spdx/a.mpp.yaml
+++ b/test/data/stages/dnf4.sbom.spdx/a.mpp.yaml
@ -0,0 +1,24 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - tmux
--- a/test/data/stages/dnf4.sbom.spdx/b.json
+++ b/test/data/stages/dnf4.sbom.spdx/b.json
--- a/test/data/stages/dnf4.sbom.spdx/b.mpp.yaml
+++ b/test/data/stages/dnf4.sbom.spdx/b.mpp.yaml
@ -0,0 +1,28 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - tmux
+      - type: org.osbuild.dnf4.sbom.spdx
+        options:
+          config:
+            doc_path: "/root/image.spdx.json"
--- a/test/data/stages/dnf4.sbom.spdx/diff.json
+++ b/test/data/stages/dnf4.sbom.spdx/diff.json
@ -0,0 +1,7 @@
+{
+  "added_files": [
+    "/root/image.spdx.json"
+  ],
+  "deleted_files": [],
+  "differences": {}
+}