From 20d349ca5514cb566874e21e2a68ef682d69c072 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Tue, 26 Apr 2022 19:30:50 -0700 Subject: [PATCH] Fix: Isolate SBOM PATH flag SBOM's path flag does not work as expected. We need to introduce a new flag called SBOM_PATH to isolate the path where SBOM is going to be extracted to and executed from. By default this is set to $WORKSPACE but some projects need to execute the sbom from a different location in their code. See https://github.com/opensbom-generator/spdx-sbom-generator/issues/227 Issue: RELENG-4213 Signed-off-by: Jessica Wagantall Change-Id: Ibaaf4f89035f8aa9a773e199cf0cacb6c1e14947 --- docs/jjb/lf-maven-jobs.rst | 2 ++ jjb/lf-maven-jobs.yaml | 5 +++++ .../notes/maven-sbom-generator-path-7987d3ec5dc2c1f9.yaml | 8 ++++++++ shell/sbom-generator.sh | 6 +++++- 4 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/maven-sbom-generator-path-7987d3ec5dc2c1f9.yaml diff --git a/docs/jjb/lf-maven-jobs.rst b/docs/jjb/lf-maven-jobs.rst index 411a7126..59b50182 100644 --- a/docs/jjb/lf-maven-jobs.rst +++ b/docs/jjb/lf-maven-jobs.rst @@ -419,6 +419,8 @@ directory is then used later to deploy to Nexus. (default: false) :sbom-generator-version: SBOM generator version to download and run if using sbom-generator. (default: v0.0.10) + :sbom-path: Path where SBOM is going to be executed from. + (default: $WORKSPACE) :sign-artifacts: Sign artifacts with Sigul. (default: false) :stream: Keyword that represents a release code-name. Often the same as the branch. (default: master) diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index 528e1504..878840cf 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -843,6 +843,7 @@ ossrh-profile-id: "" mvn-pom: "" sbom-flags: "" + sbom-path: "$WORKSPACE" sbom-generator: false sbom-generator-version: "v0.0.10" sign-artifacts: false @@ -896,6 +897,10 @@ name: SBOM_GENERATOR_VERSION default: "{sbom-generator-version}" description: SBOM generator version to download and run. + - string: + name: SBOM_PATH + default: "{sbom-path}" + description: path where SBOM needs to be executed. builders: - lf-infra-pre-build diff --git a/releasenotes/notes/maven-sbom-generator-path-7987d3ec5dc2c1f9.yaml b/releasenotes/notes/maven-sbom-generator-path-7987d3ec5dc2c1f9.yaml new file mode 100644 index 00000000..ab786d1b --- /dev/null +++ b/releasenotes/notes/maven-sbom-generator-path-7987d3ec5dc2c1f9.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + SBOM's path flag does not work as expected. We need to introduce a new + flag called SBOM_PATH to isolate the path where SBOM is going to be + extracted to and executed from. By default this is set to $WORKSPACE but + some projects need to execute the sbom from a different location in their + code. See https://github.com/opensbom-generator/spdx-sbom-generator/issues/227 diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh index f3e657b0..8b1fd357 100644 --- a/shell/sbom-generator.sh +++ b/shell/sbom-generator.sh @@ -25,8 +25,12 @@ if ! wget -nv "${URL}" -O "${SBOM_LOCATION}"; then echo "wget ${SBOM_GENERATOR_VERSION} failed" exit 1; fi -tar -xvf "${SBOM_LOCATION}" +# Extract SBOM bin in SBOM_PATH +# This is a workaround until the --path flag works +# https://github.com/opensbom-generator/spdx-sbom-generator/issues/227 +tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH} echo "INFO: running spdx-sbom-generator" +cd ${SBOM_PATH} ./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo mv spdx-sbom-generator /tmp/ rm /tmp/spdx* -- 2.16.6