Generate SBOM of products in Soong.
Bug: 324465531 Test: CIs Test: m soong-sbom Change-Id: If76776851d49282829a79bfb1c33f05b8f57de31
This commit is contained in:
@@ -70,13 +70,14 @@ function test_sbom_aosp_cf_x86_64_phone {
|
||||
# m droid, build sbom later in case additional dependencies might be built and included in partition images.
|
||||
run_soong "${out_dir}" "droid dump.erofs lz4"
|
||||
|
||||
soong_sbom_out=$out_dir/soong/sbom/$target_product
|
||||
product_out=$out_dir/target/product/vsoc_x86_64
|
||||
sbom_test=$product_out/sbom_test
|
||||
mkdir -p $sbom_test
|
||||
cp $product_out/*.img $sbom_test
|
||||
|
||||
# m sbom
|
||||
run_soong "${out_dir}" sbom
|
||||
# m sbom soong-sbom
|
||||
run_soong "${out_dir}" "sbom soong-sbom"
|
||||
|
||||
# Generate installed file list from .img files in PRODUCT_OUT
|
||||
dump_erofs=$out_dir/host/linux-x86/bin/dump.erofs
|
||||
@@ -118,6 +119,7 @@ function test_sbom_aosp_cf_x86_64_phone {
|
||||
partition_name=$(basename $f | cut -d. -f1)
|
||||
file_list_file="${sbom_test}/sbom-${partition_name}-files.txt"
|
||||
files_in_spdx_file="${sbom_test}/sbom-${partition_name}-files-in-spdx.txt"
|
||||
files_in_soong_spdx_file="${sbom_test}/soong-sbom-${partition_name}-files-in-spdx.txt"
|
||||
rm "$file_list_file" > /dev/null 2>&1 || true
|
||||
all_dirs="/"
|
||||
while [ ! -z "$all_dirs" ]; do
|
||||
@@ -145,6 +147,7 @@ function test_sbom_aosp_cf_x86_64_phone {
|
||||
done
|
||||
sort -n -o "$file_list_file" "$file_list_file"
|
||||
|
||||
# Diff the file list from image and file list in SBOM created by Make
|
||||
grep "FileName: /${partition_name}/" $product_out/sbom.spdx | sed 's/^FileName: //' > "$files_in_spdx_file"
|
||||
if [ "$partition_name" = "system" ]; then
|
||||
# system partition is mounted to /, so include FileName starts with /root/ too.
|
||||
@@ -154,6 +157,17 @@ function test_sbom_aosp_cf_x86_64_phone {
|
||||
|
||||
echo ============ Diffing files in $f and SBOM
|
||||
diff_files "$file_list_file" "$files_in_spdx_file" "$partition_name" ""
|
||||
|
||||
# Diff the file list from image and file list in SBOM created by Soong
|
||||
grep "FileName: /${partition_name}/" $soong_sbom_out/sbom.spdx | sed 's/^FileName: //' > "$files_in_soong_spdx_file"
|
||||
if [ "$partition_name" = "system" ]; then
|
||||
# system partition is mounted to /, so include FileName starts with /root/ too.
|
||||
grep "FileName: /root/" $soong_sbom_out/sbom.spdx | sed 's/^FileName: \/root//' >> "$files_in_soong_spdx_file"
|
||||
fi
|
||||
sort -n -o "$files_in_soong_spdx_file" "$files_in_soong_spdx_file"
|
||||
|
||||
echo ============ Diffing files in $f and SBOM created by Soong
|
||||
diff_files "$file_list_file" "$files_in_soong_spdx_file" "$partition_name" ""
|
||||
done
|
||||
|
||||
RAMDISK_IMAGES="$product_out/ramdisk.img"
|
||||
@@ -161,6 +175,7 @@ function test_sbom_aosp_cf_x86_64_phone {
|
||||
partition_name=$(basename $f | cut -d. -f1)
|
||||
file_list_file="${sbom_test}/sbom-${partition_name}-files.txt"
|
||||
files_in_spdx_file="${sbom_test}/sbom-${partition_name}-files-in-spdx.txt"
|
||||
files_in_soong_spdx_file="${sbom_test}/sbom-${partition_name}-files-in-soong-spdx.txt"
|
||||
# lz4 decompress $f to stdout
|
||||
# cpio list all entries like ls -l
|
||||
# grep filter normal files and symlinks
|
||||
@@ -170,11 +185,19 @@ function test_sbom_aosp_cf_x86_64_phone {
|
||||
|
||||
grep "FileName: /${partition_name}/" $product_out/sbom.spdx | sed 's/^FileName: //' | sort -n > "$files_in_spdx_file"
|
||||
|
||||
grep "FileName: /${partition_name}/" $soong_sbom_out/sbom.spdx | sed 's/^FileName: //' | sort -n > "$files_in_soong_spdx_file"
|
||||
|
||||
echo ============ Diffing files in $f and SBOM
|
||||
diff_files "$file_list_file" "$files_in_spdx_file" "$partition_name" ""
|
||||
|
||||
echo ============ Diffing files in $f and SBOM created by Soong
|
||||
diff_files "$file_list_file" "$files_in_soong_spdx_file" "$partition_name" ""
|
||||
done
|
||||
|
||||
verify_package_verification_code "$product_out/sbom.spdx"
|
||||
verify_package_verification_code "$soong_sbom_out/sbom.spdx"
|
||||
|
||||
verify_packages_licenses "$soong_sbom_out/sbom.spdx"
|
||||
|
||||
# Teardown
|
||||
cleanup "${out_dir}"
|
||||
@@ -213,6 +236,41 @@ function verify_package_verification_code {
|
||||
fi
|
||||
}
|
||||
|
||||
function verify_packages_licenses {
|
||||
local sbom_file="$1"; shift
|
||||
|
||||
num_of_packages=$(grep 'PackageName:' $sbom_file | wc -l)
|
||||
num_of_declared_licenses=$(grep 'PackageLicenseDeclared:' $sbom_file | wc -l)
|
||||
if [ "$num_of_packages" = "$num_of_declared_licenses" ]
|
||||
then
|
||||
echo "Number of packages with declared license is correct."
|
||||
else
|
||||
echo "Number of packages with declared license is WRONG."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# PRODUCT and 7 prebuilt packages have "PackageLicenseDeclared: NOASSERTION"
|
||||
# All other packages have declared licenses
|
||||
num_of_packages_with_noassertion_license=$(grep 'PackageLicenseDeclared: NOASSERTION' $sbom_file | wc -l)
|
||||
if [ $num_of_packages_with_noassertion_license = 15 ]
|
||||
then
|
||||
echo "Number of packages with NOASSERTION license is correct."
|
||||
else
|
||||
echo "Number of packages with NOASSERTION license is WRONG."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
num_of_files=$(grep 'FileName:' $sbom_file | wc -l)
|
||||
num_of_concluded_licenses=$(grep 'LicenseConcluded:' $sbom_file | wc -l)
|
||||
if [ "$num_of_files" = "$num_of_concluded_licenses" ]
|
||||
then
|
||||
echo "Number of files with concluded license is correct."
|
||||
else
|
||||
echo "Number of files with concluded license is WRONG."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
function test_sbom_unbundled_apex {
|
||||
# Setup
|
||||
out_dir="$(setup)"
|
||||
@@ -274,7 +332,7 @@ function test_sbom_unbundled_apk {
|
||||
|
||||
target_product=aosp_cf_x86_64_phone
|
||||
target_release=trunk_staging
|
||||
target_build_variant=userdebug
|
||||
target_build_variant=eng
|
||||
for i in "$@"; do
|
||||
case $i in
|
||||
TARGET_PRODUCT=*)
|
||||
|
Reference in New Issue
Block a user