Skip to content

Commit

Permalink
Generate XML SBOM
Browse files Browse the repository at this point in the history
  • Loading branch information
Haroon-Khel committed Dec 4, 2024
1 parent 8646220 commit 28794f3
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 83 deletions.
94 changes: 47 additions & 47 deletions sbin/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -969,41 +969,41 @@ generateSBoM() {
sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.tar\.gz//")
fi

local sbomJson="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})"
echo "OpenJDK SBOM will be ${sbomJson}."
local sbomXML="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})"
echo "OpenJDK SBOM will be ${sbomXML}."

# Clean any old json
rm -f "${sbomJson}"
rm -f "${sbomXML}"

local fullVer=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersion.txt")
local fullVerOutput=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersionOutput.txt")

# Create initial SBOM json
createSBOMFile "${javaHome}" "${classpath}" "${sbomJson}"
createSBOMFile "${javaHome}" "${classpath}" "${sbomXML}"
# Set default SBOM metadata
addSBOMMetadata "${javaHome}" "${classpath}" "${sbomJson}"
addSBOMMetadata "${javaHome}" "${classpath}" "${sbomXML}"

# Create component to metadata in SBOM
addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomJson}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components"
addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomXML}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components"

# Below add property to metadata
# Add OS full version (Kernel is covered in the first field)
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}"
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}"
# TODO: Replace this "if" with its predecessor (commented out below) once
# OS_ARCHITECTURE has been replaced by the new target architecture variable.
# This is because OS_ARCHITECTURE is currently the build arch, not the target arch,
# and that confuses things when cross-compiling an x64 mac build on arm mac.
# addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}"
# addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}"
if [[ "${BUILD_CONFIG[TARGET_FILE_NAME]}" =~ .*_x64_.* ]]; then
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "x86_64"
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS architecture" "x86_64"
else
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}"
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}"
fi

# Set default SBOM formulation
addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX"
addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs"
addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions"
addSBOMFormulation "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX"
addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar SHAs"
addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar versions"

# Below add build tools into metadata tools
if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then
Expand All @@ -1030,7 +1030,7 @@ generateSBoM() {
# Add FreeMarker 3rd party (openj9)
local freemarker_version="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} 'metadata/dependency_version_freemarker.txt')"
if [ -f "${freemarker_version}" ]; then
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeMarker" "$(cat ${freemarker_version})"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "FreeMarker" "$(cat ${freemarker_version})"
fi
# Add CycloneDX versions
addCycloneDXVersions
Expand All @@ -1039,10 +1039,10 @@ generateSBoM() {
local buildimagesha=$(cat ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/docker.txt)
# ${BUILD_CONFIG[CONTAINER_COMMAND]^} always set to false cannot rely on it.
if [ -n "${buildimagesha}" ] && [ "${buildimagesha}" != "N.A" ]; then
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "true"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "Docker image SHA1" "${buildimagesha}"
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "Use Docker for build" "true"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "Docker image SHA1" "${buildimagesha}"
else
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "false"
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "Use Docker for build" "false"
fi

checkingToolSummary
Expand Down Expand Up @@ -1079,41 +1079,41 @@ generateSBoM() {
local sha=$(sha256File "${archiveFile}")

# Create JDK Component
addSBOMComponent "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component"
addSBOMComponent "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component"

# Add SHA256 hash for the component
addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${sha}"
addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "${sha}"

# Below add different properties to JDK component
# Add target archive name as JDK Component Property
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Filename" "${archiveName}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Filename" "${archiveName}"
# Add variant as JDK Component Property
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}"
# Add scmRef as JDK Component Property
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt"
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt"
# Add OpenJDK source ref commit as JDK Component Property
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt"
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt"
# Add buildRef as JDK Component Property
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt"
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt"
# Add jenkins job ID as JDK Component Property
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}"
# Add jenkins builder (agent/machine name) as JDK Component Property
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}"

# Add build timestamp
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}"

# Add Tool Summary section from configure.txt
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt"
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt"
# Add builtConfig JDK Component Property, load as Json string
built_config=$(createConfigToJsonString)
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Config" "${built_config}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Build Config" "${built_config}"
# Add full_version_output JDK Component Property
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "full_version_output" "${fullVerOutput}"
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "full_version_output" "${fullVerOutput}"
# Add makejdk_any_platform_args JDK Component Property
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args"
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args"
# Add make_command_args JDK Component Property
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt"
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt"
done


Expand Down Expand Up @@ -1158,11 +1158,11 @@ generateSBoM() {
devkit_path=$(echo ${devkit_path} | sed 's,\./,,' | sed 's,//,/,')
bootjdk_path=$(echo ${bootjdk_path} | sed 's,\./,,' | sed 's,//,/,')

bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomJson}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}"
bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomXML}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}"
fi

# Print SBOM location
echo "CycloneDX SBOM has been created in ${sbomJson}"
echo "CycloneDX SBOM has been created in ${sbomXML}"
}

# Generate build tools info into dependency file
Expand Down Expand Up @@ -1233,7 +1233,7 @@ addFreeTypeVersionInfo() {
version="${ver_major}.${ver_minor}.${ver_patch}"
fi

addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeType" "${version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "FreeType" "${version}"
}

# Determine and store CycloneDX SHAs that have been used to provide the SBOMs
Expand All @@ -1249,12 +1249,12 @@ addCycloneDXVersions() {
else
JarSha=$(sha256sum "$JAR" | cut -d' ' -f1)
fi
addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}"
addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}"
# Now the jar's SHA has been added, we add the version string.
JarDepsFile="$(joinPath ${CYCLONEDB_DIR} dependency_data/dependency_data.properties)"
JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2)
if [ -n "${JarVersionString}" ]; then
addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}"
addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}"
elif [ "${JarName}" != "temurin-gen-sbom" ]; then
echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar."
fi
Expand Down Expand Up @@ -1295,7 +1295,7 @@ addALSAVersion() {
fi

echo "Adding ALSA version to SBOM: ${ALSA_VERSION}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "ALSA" "${ALSA_VERSION}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "ALSA" "${ALSA_VERSION}"
fi
}

Expand Down Expand Up @@ -1354,15 +1354,15 @@ addGLIBCforLinux() {
# Get musl build ldd version
local MUSL_VERSION="$(ldd --version 2>&1 | grep "Version" | tr -s " " | cut -d" " -f2)"
echo "Adding MUSL version to SBOM: ${MUSL_VERSION}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MUSL" "${MUSL_VERSION}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MUSL" "${MUSL_VERSION}"
else
# Get GLIBC from configured build spec.gmk sysroot and features.h definitions
local GLIBC_MAJOR=$(getHeaderPropertyUsingCompiler "features.h" "#define[ ]+__GLIBC__")
local GLIBC_MINOR=$(getHeaderPropertyUsingCompiler "features.h" "#define[ ]+__GLIBC_MINOR__")
local GLIBC_VERSION="${GLIBC_MAJOR}.${GLIBC_MINOR}"

echo "Adding GLIBC version to SBOM: ${GLIBC_VERSION}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GLIBC" "${GLIBC_VERSION}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "GLIBC" "${GLIBC_VERSION}"
fi
}

Expand All @@ -1372,7 +1372,7 @@ addGCC() {
local gcc_version="$(sed -n '/^Tools summary:$/,$p' "${inputConfigFile}" | tr -s " " | grep "C Compiler: Version" | cut -d" " -f5)"

echo "Adding GCC version to SBOM: ${gcc_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GCC" "${gcc_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "GCC" "${gcc_version}"
}

addCompilerWindows() {
Expand All @@ -1392,13 +1392,13 @@ addCompilerWindows() {
local msvs_cpp_version="$(grep -o -P '\* C\+\+ Compiler:\s+\K[^"]+' "${inputConfigFile}" | awk '{print $2}')"

echo "Adding Windows Compiler versions to SBOM: ${msvs_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS Windows Compiler Version" "${msvs_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MSVS Windows Compiler Version" "${msvs_version}"
echo "Adding Windows C Compiler version to SBOM: ${msvs_c_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C Compiler Version" "${msvs_c_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MSVS C Compiler Version" "${msvs_c_version}"
echo "Adding Windows C++ Compiler version to SBOM: ${msvs_cpp_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C++ Compiler Version" "${msvs_cpp_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MSVS C++ Compiler Version" "${msvs_cpp_version}"
echo "Adding Windows SDK version to SBOM: ${ucrt_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MS Windows SDK Version" "${ucrt_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MS Windows SDK Version" "${ucrt_version}"
}

addCompilerMacOS() {
Expand All @@ -1408,7 +1408,7 @@ addCompilerMacOS() {
local macx_version="$(grep ".* Toolchain:" "${inputConfigFile}" | awk -F ':' '{print $2}' | sed -e 's/^[ \t]*//')"

echo "Adding MacOS compiler version to SBOM: ${macx_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MacOS Compiler" "${macx_version}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MacOS Compiler" "${macx_version}"
}

addBootJDK() {
Expand All @@ -1423,7 +1423,7 @@ addBootJDK() {
local bootjdk="$("${bootjava}" -XshowSettings 2>&1 | grep "java\.runtime\.version" | tr -s " " | cut -d" " -f4 | sed "s/\"//g")"

echo "Adding BOOTJDK to SBOM: ${bootjdk}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "BOOTJDK" "${bootjdk}"
addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "BOOTJDK" "${bootjdk}"
}

getGradleJavaHome() {
Expand Down
Loading

0 comments on commit 28794f3

Please sign in to comment.