fixup! Work in progress

Fixes #23356: Add PoC SBOM tooling

ci/rust.sh

@@ -20,5 +20,5 @@ mv cargo-deny-$DENY_VER-x86_64-unknown-linux-musl/cargo-deny /usr/local/bin/
 
 # Build & check tools
 cargo install --locked cargo-vet@0.8.0
-cargo install --locked cargo-auditable@0.6.1
-cargo install --locked cargo-cyclonedx@0.4.1
+cargo install --locked cargo-auditable@0.6.2
+cargo install --locked cargo-cyclonedx@0.5.0

sbom/sbom.sh

@@ -8,29 +8,18 @@ export LANG=C
 
 # TODO faire du README une doc supply-chain de Rudder
 
-# splitter par package (server, relay, agent-windows)
-
 # FXIME : version des outils Rust comme dans les sources
 
-# Layout du repo ???
-
-# sources/
-
-# sbom/
-#   8.0.4/
-#     spdx/
-#     cyclonedx/
-
 # Should we work on private repositories
 PRIVATE="false"
-# Should we try to update/clone repos?
-OFFLINE="false"
 # Should we sign resulting SBOM files?
 SIGN="false"
 # Target, in the X.Y.Z form for Rudder main components
 VERSION=""
 
-while getopts 'phosv:' opt; do
+MAVEN_CYCLONEDX_VER="2.7.11"
+
+while getopts 'phsv:' opt; do
   case "$opt" in
     p)
       PRIVATE="true"
@@ -41,9 +30,6 @@ while getopts 'phosv:' opt; do
     s)
       SIGN="true"
       ;;
-    o)
-      OFFLINE="true"
-      ;;
     *)
       echo "Usage: $(basename $0) [-p] [-v VERSION]"
       exit 1
@@ -60,64 +46,75 @@ export VERSION
 
 checkout() {
   repo="$1"
-  tag="$2"
-  if [ ! -d "${repo}" ] && [ "${OFFLINE}" = "false" ]; then
+  version="$2"
+  if [ ! -d "${repo}" ]; then
     git clone "https://github.com/Normation/${repo}.git"
   fi
   cd "${repo}"
-  if [ "${OFFLINE}" = "false" ]; then
-    git fetch
-  fi
+  git fetch
+  [ -f "init-repo.sh" ] && ./init-repo.sh
+  # handle retag, take latest
+  tag=$(git tag | grep "${version}" | sort | tail -n1)
+  [ -z "${tag}" ] && tag="${version}"
   git checkout "$tag"
+  git reset --hard
+  # like in sources
+  find . -name "Cargo\.*" -exec sed -i "s/version = \"0.0.0-dev\"/version = \"${version}\"/" {} \;
   cd -
 }
 
-# Main, i.e. non-plugin parts
-main_repos() {
-  rm -rf sbom
-  mkdir sbom
+server() {
   checkout rudder "${VERSION}"
 
   # maven (Scala/Java)
-  mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom --file rudder/webapp/sources/pom.xml
-  mv rudder/webapp/sources/target/bom.json sbom/backend.json
+  mvn "org.cyclonedx:cyclonedx-maven-plugin:${MAVEN_CYCLONEDX_VER}:makeAggregateBom" --file rudder/webapp/sources/pom.xml
+  mv rudder/webapp/sources/target/bom.json target/tmp_server-backend.json
 
   # npm (JS)
   cd rudder/webapp/sources/rudder/rudder-web/src/main/
   npm_config_loglevel=error npm ci --no-audit
   npx makebom . -o bom.json
   cd -
-  mv rudder/webapp/sources/rudder/rudder-web/src/main/bom.json sbom/frontend.json
+  mv rudder/webapp/sources/rudder/rudder-web/src/main/bom.json target/tmp_server-frontend.json
 
   # cargo (Rust)
-  cargo cyclonedx --all --format json --manifest-path rudder/relay/sources/relayd/Cargo.toml
-  mv rudder/relay/sources/relayd/bom.json sbom/relayd.json
   cargo cyclonedx --all --format json --manifest-path rudder/policies/rudderc/Cargo.toml
-  mv rudder/policies/rudderc/bom.json sbom/rudderc.json
+  mv rudder/policies/rudderc/rudderc.cdx.json target/tmp_server-rudderc.json
 
+  # Aggregate everything
+  cyclonedx merge --input-files target/tmp_server-*.json --output-file "target/rudder-server-${VERSION}.cdx.json"
+  rm -f target/tmp_*
+}
+
+relay() {
+  checkout rudder "${VERSION}"
+  cargo cyclonedx --all --format json --manifest-path rudder/relay/sources/relayd/Cargo.toml
+  mv rudder/relay/sources/relayd/rudder-relayd.cdx.json "target/rudder-relay-${VERSION}.cdx.json"
+}
+
+agent_windows() {
   if [ "${PRIVATE}" = "true" ]; then
     checkout rudder-agent-windows "${VERSION}"
     # dotnet (F#)
-    dotnet CycloneDX --exclude-dev --json rudder-agent-windows/common/initial-policy/ncf/rudderLib/rudderLib.sln --out sbom --filename windows.json
+    dotnet CycloneDX --exclude-dev --json rudder-agent-windows/common/initial-policy/ncf/rudderLib/rudderLib.sln --filename "target/rudder-agent-windows-${VERSION}.cdx.json"
   fi
-
-  # Aggregate everything
-  cyclonedx merge --input-files sbom/*.json --output-file "rudder-${VERSION}.cdx.json"
 }
 
 plugin_repo() {
   repo="$1"
   checkout "${repo}" "master"
-  tags=$(git -C rudder-plugins tag | grep -E "^[a-z-]+-${VERSION}-.*")
+  tags=$(git -C "${repo}" tag | grep -E "^[a-z-]+-${VERSION}-.*")
   for tag in ${tags}; do
     checkout "${repo}" "${tag}"
     plugin=$(echo "${tag}" | sed -E "s/^([a-z-]+)-${VERSION}-.*\$/\1/")
     cd "${repo}/${plugin}"
     # Only work on webapp plugins
     if [ -f pom-template.xml ]; then
-      make -d generate-pom
-      mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom --file pom.xml
-      mv target/bom.json "../../rudder-${tag}.cdx.json"
+      ## [ -f main-build.conf ] && echo '.' || echo '..'
+      pwd
+      make MAIN_BUILD="../main-build.conf" generate-pom
+      mvn "org.cyclonedx:cyclonedx-maven-plugin:${MAVEN_CYCLONEDX_VER}:makeAggregateBom" --file pom.xml
+      mv target/bom.json "../../target/rudder-${tag}.cdx.json"
     fi
     cd -
   done
@@ -131,12 +128,17 @@ finish_sbom() {
   if [ "${SIGN}" = "true" ]; then
     cyclonedx sign bom "${file}.cdx.xml"
   fi
-  # Compress
-  xz rudder-*.json
 }
 
 
-main_repos
+rm -rf target rudder-sbom-*
+mkdir target
+server
+relay
 plugin_repo "rudder-plugins"
-plugin_repo "rudder-plugins-private"
-
+if [ "${PRIVATE}" = "true" ]; then
+  plugin_repo "rudder-plugins-private"
+  agent_windows
+fi
+mv target "rudder-sbom-${VERSION}"
+tar -cf "rudder-sbom-${VERSION}.tar.xz" "rudder-sbom-${VERSION}"