Introduce %python_wheel_inject_sbom
See https://discuss.python.org/t/encoding-origin-in-wheel-and-dist-info-metadata-for-downstream-security-backports/97436
This commit is contained in:
Miro Hrončok
parent
364d99f4e1
commit
7d4cb5437d
4 changed files with 237 additions and 1 deletions
124
macros.python-wheel-sbom
Normal file
124
macros.python-wheel-sbom
Normal file
|
|
@ -0,0 +1,124 @@
|
|||
# The macros in this file are used to add SBOM to wheel files that we ship.
|
||||
# Majority of Python packages will not need to do that,
|
||||
# as they only use wheels as an intermediate artifact.
|
||||
# The macros will be used by packages installing wheel to %%python_wheel_dir
|
||||
# or by Python interpreters bundling their own (patched) wheels.
|
||||
#
|
||||
# The runtime dependencies are not Required by the python-rpm-macros package,
|
||||
# users of this macro need to specify them on their own or rely on the fact that
|
||||
# they are all available in the default buildroot.
|
||||
#
|
||||
# Usage: %%python_wheel_inject_sbom PATHS_TO_WHEELS
|
||||
#
|
||||
# The wheels are modified in-place.
|
||||
|
||||
|
||||
# Path of the SBOM file in the PEP 770 .dist-info/sboms directory
|
||||
# This filename is explicitly mentioned in https://cyclonedx.org/specification/overview/
|
||||
# section Recognized file patterns
|
||||
%__python_wheel_sbom_filename bom.json
|
||||
|
||||
|
||||
# The SBOM content to put to the file
|
||||
# This is a CycloneDX component as recommended in https://discuss.python.org/t/97436/7
|
||||
%__python_wheel_sbom_content %{expand:{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": [
|
||||
{
|
||||
"type": "library",
|
||||
"name": "%{name}",
|
||||
"version": "%{version}-%{release}",
|
||||
"purl": "%{__python_wheel_purl}"
|
||||
}
|
||||
]
|
||||
}}
|
||||
|
||||
|
||||
# The purl used above
|
||||
# We use the src package name (which is easier to get and more useful to consumers).
|
||||
# Note that epoch needs special handling, see https://github.com/package-url/purl-spec/issues/69
|
||||
# and https://redhatproductsecurity.github.io/security-data-guidelines/purl/
|
||||
%__python_wheel_purl pkg:rpm/%{__python_wheel_dist_purl_namespace}/%{name}@%{version}-%{release}?%{?epoch:epoch=%{epoch}&}arch=src
|
||||
|
||||
|
||||
# The purl namespace used above
|
||||
# https://lists.fedoraproject.org/archives/list/packaging@lists.fedoraproject.org/thread/GTRCTAF3R3SSBVEJYFCATKNRT7RYVFQI/
|
||||
# Distributors, define %%dist_purl_namespace to set this.
|
||||
# The rest of the code is fallback for distributions without it (relying on %%dist_name).
|
||||
%__python_wheel_dist_purl_namespace %{?dist_purl_namespace}%{!?dist_purl_namespace:%{lua:
|
||||
if macros.epel then
|
||||
-- being epel beats the %%dist_name value
|
||||
-- added in https://src.fedoraproject.org/rpms/epel-rpm-macros/pull-request/86
|
||||
print("epel")
|
||||
else
|
||||
local dist_map = {
|
||||
-- fedora is in the purl-spec examples https://github.com/package-url/purl-spec/blob/main/PURL-TYPES.rst#rpm
|
||||
-- added in https://src.fedoraproject.org/rpms/fedora-release/pull-request/385
|
||||
["Fedora Linux"] = "fedora",
|
||||
-- added in https://gitlab.com/redhat/centos-stream/rpms/centos-stream-release/-/merge_requests/7
|
||||
["CentOS Stream"] = "centos",
|
||||
-- documented at https://redhatproductsecurity.github.io/security-data-guidelines/purl/
|
||||
["Red Hat Enterprise Linux"] = "redhat",
|
||||
-- documented at https://wiki.almalinux.org/documentation/sbom-guide.html
|
||||
["AlmaLinux"] = "almalinux",
|
||||
-- from https://github.com/google/osv.dev/pull/2939
|
||||
["Rocky Linux"] = "rocky-linux",
|
||||
}
|
||||
print(dist_map[macros.dist_name] or "unknown")
|
||||
end
|
||||
}}
|
||||
|
||||
|
||||
# A Bash scriptlet to inject the SBOM file into the wheel(s)
|
||||
# The macro takes positional nargs+ with wheel paths
|
||||
# For each wheel, it
|
||||
# 1. aborts if the SBOM file is already there (it won't override)
|
||||
# 2. inserts the SBOM file to .dist-info/sboms
|
||||
# 3. amends .dist-info/RECORD with the added SBOM file
|
||||
%python_wheel_inject_sbom() %{expand:(
|
||||
%[%# ? "" : "%{error:%%%0: At least one argument (wheel path) is required}"]
|
||||
|
||||
set -eu -o pipefail
|
||||
export LANG=C.utf-8
|
||||
|
||||
tmpdir=$(mktemp -d)
|
||||
trap 'rm -rf "$tmpdir"' EXIT
|
||||
pwd0=$(pwd)
|
||||
ret=0
|
||||
|
||||
for whl in %{*}; do
|
||||
cd "$tmpdir"
|
||||
if [[ "$whl" != /* ]]; then
|
||||
whl="$pwd0/$whl"
|
||||
fi
|
||||
|
||||
record=$(zipinfo -1 "$whl" | grep '\.dist-info/RECORD$')
|
||||
distinfo="${record%%/RECORD}"
|
||||
bom="$distinfo/sboms/%{__python_wheel_sbom_filename}"
|
||||
|
||||
if zipinfo -1 "$whl" | grep -qFx "$bom"; then
|
||||
echo -e "\\n\\nERROR %%%%%0: $whl already has $bom, aborting\\n\\n" >&2
|
||||
ret=1
|
||||
continue
|
||||
fi
|
||||
|
||||
unzip "$whl" "$record"
|
||||
mkdir "$distinfo/sboms"
|
||||
echo '%{__python_wheel_sbom_content}' > "$bom"
|
||||
checksum="sha256=$(sha256sum "$bom" | cut -f1 -d' ')"
|
||||
size="$(wc --bytes "$bom" | cut -f1 -d' ')"
|
||||
echo "$bom,$checksum,$size" >> "$record"
|
||||
|
||||
if [[ -n "${SOURCE_DATE_EPOCH:-}" ]]; then
|
||||
touch --date="@$SOURCE_DATE_EPOCH" "$bom" "$record"
|
||||
fi
|
||||
|
||||
zip -r "$whl" "$record" "$bom"
|
||||
rm -rf "$distinfo"
|
||||
cd "$pwd0"
|
||||
done
|
||||
|
||||
exit $ret
|
||||
)}
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue