-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) #4359
Commits on Sep 19, 2024
-
Schutzfile: update osbuild ref
Update the ref to the v129, which supports SBOM documents. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8635abc - Browse repository at this point
Copy the full SHA 8635abcView commit details -
Schutzfile: update el10 / c10s rpmrepo snapshots
This is needed to be able to install osbuild RPM builds, because that repo uses newer snapshots. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 326cf82 - Browse repository at this point
Copy the full SHA 326cf82View commit details -
Test/repositories: update el10 / c10s repmrepo snapshots
Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c3b9812 - Browse repository at this point
Copy the full SHA c3b9812View commit details -
Update osbuild/images to v0.88.0
Adjust all paces that call `Solver.Depsolve()`, to cope with the changes that enabled SBOM support. Fix loading of testing repositories in the CloudAPI unit tests. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4672a0d - Browse repository at this point
Copy the full SHA 4672a0dView commit details -
SPEC: bump the minimum osbuild version
This is needed for the SBOM support Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f90bbc6 - Browse repository at this point
Copy the full SHA f90bbc6View commit details -
Worker/json: remove redundant comment
Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c71e5ca - Browse repository at this point
Copy the full SHA c71e5caView commit details -
Worker/depsolve: add support for SBOM
Add support to the `DepsolveJob` for requesting SBOM documents and returning the results from the job. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 85dae3a - Browse repository at this point
Copy the full SHA 85dae3aView commit details -
CloudAPI: request SBOM documents in depsolve jobs
Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 946785c - Browse repository at this point
Copy the full SHA 946785cView commit details -
Worker/osbuild: depend on depsolve job for Koji composes
For Koji composes, all files are uploaded to Koji as part of the osbuild job (specifically as part of handling the Koji target). So in order to be able to upload SBOM documents to Koji as part of Koji compose, the osbuild job needs to to be able to access the depsolve job result, which contains the SBOM documents. For this, the osbuild job must depend on the depsolve job. For Koji composes, make sure that osbuild job depends on the depsolve job and set the DepsolveDynArgsIdx. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 492a5f2 - Browse repository at this point
Copy the full SHA 492a5f2View commit details -
Target/koji: extend the result struct with SBOM docs
Extend the Koji target result struct with an optional slice for uploaded SBOM documents. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a7bf28d - Browse repository at this point
Copy the full SHA a7bf28dView commit details -
Worker/koji-finalize: import uploaded SBOM documents
If the Koji target result contains information about any uploaded SBOM documents, import them to Koji as part of the finalize task. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 945fa41 - Browse repository at this point
Copy the full SHA 945fa41View commit details -
Worker/osbuild/koji: upload SBOM documents
Extend the Koji target handling in the osbuild job, to also upload SBOM documents attached to the related depsolve job result. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2bb6628 - Browse repository at this point
Copy the full SHA 2bb6628View commit details -
Test/koji.sh: adjust for SBOM documents
Adjust the test case to cope with the SPDX SBOM documents uploaded to the Koji. Also explicitly check that there is the expected number of SBOM documents uploaded as the image build output. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fe06038 - Browse repository at this point
Copy the full SHA fe06038View commit details -
CI/Koji: test RHEL-8 builds on RHEL-9
We have been testing builds of RHEL-9 on RHEL-8 for the Koji use case. However, all of our workers are now running the latest GA RHEL-9 version. Therefore we should flip the test and test building of RHEL-8 on RHEL-9. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a56a2d7 - Browse repository at this point
Copy the full SHA a56a2d7View commit details -
CI/Koji: test building of RHEL-10 on RHEL-9
This is what is currently happening on our Brew workers. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6027bc6 - Browse repository at this point
Copy the full SHA 6027bc6View commit details -
CI/Koji: run Koji tests only on the latest RHEL-9 GA
None of our worker is running RHEL-8 any more. There's no value in testing the Koji scenario on RHEL-8, RHEL-9 is fully sufficient. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8ee2408 - Browse repository at this point
Copy the full SHA 8ee2408View commit details -
CloudAPI: extend manifestJobResultsFromJobDeps() to also return JobInfo
Extend the `manifestJobResultsFromJobDeps()` function to also return the manifest `JobInfo`. This will be useful to inspect the job dependencies and eliminate the need to add a specialized function for getting only the `JobInfo`. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for de12214 - Browse repository at this point
Copy the full SHA de12214View commit details
Commits on Sep 20, 2024
-
CloudAPI: add new /composes/{id}/sboms endpoint
Add a new /sboms API endpoint, for getting SBOM documents for a given compose ID. The endpoint returns an array of SBOM documents for each image built as part of the compose. For each image, there is an SBOM document for each osbuild pipeline, which installs RPM packages. This is usually one 'buildroot' and one 'image' pipeline. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b3eea4a - Browse repository at this point
Copy the full SHA b3eea4aView commit details -
CloudAPI: test /sboms endpoint for regular composes
Extend the unit test for regular (non-Koji) composes, to verify that the newly added /sboms endpoint works correctly. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b3f40b9 - Browse repository at this point
Copy the full SHA b3f40b9View commit details -
CloudAPI: test /sboms endpoint for Koji composes
Extend the API unit test for Koji composes, to verify that the newly added /sboms endpoint works correctly. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 54914dd - Browse repository at this point
Copy the full SHA 54914ddView commit details -
Test/repositories: remove the AUX GPG key from RHEL-8 repos
This is needed for GPG key import to work on RHEL-9, because the key uses SHA-1. This results in the following error when importing the key during the build of the build container: "Signature not supported. Hash algorithm SHA1 not available." We do not need the AUX key in our RHEL-8 repo definitions used for testing. Signed-off-by: Tomáš Hozza <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f1527b9 - Browse repository at this point
Copy the full SHA f1527b9View commit details