build: generate spdx.json, not "tag value" format

Generates .spdx.json files in SPDX-json format instead of tag/value. This appears to be more machine friendly. Use jq with "null" input and \(env.<environment-variable-name>) string interpolation in templates. Move all this to a new ./sbom/ subdirectory.
LINBIT · Aug 29, 2024 · ca35897 · ca35897
1 parent c4dd27c
commit ca35897
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 70 deletions.
diff --git a/Makefile b/Makefile
@@ -92,6 +92,8 @@ ifndef FDIST_VERSION
 FDIST_VERSION := $(DIST_VERSION)
 endif
 
+export REL_VERSION FDIST_VERSION
+
 all: module tools
 
 .PHONY: all tools module
@@ -189,76 +191,15 @@ drbd/.drbd_git_revision: FORCE
 	@echo >&2 "Need a git checkout to regenerate $@"; test -s $@
 endif
 
-export define SPDX_TEMPLATE
-SPDXVersion: SPDX-2.3
-DataLicense: CC0-1.0
-SPDXID: SPDXRef-DOCUMENT
-DocumentName: drbd kernel module SBOM (software bill of materials)
-DocumentNamespace: https://linbit.org/spdx-docs/drbd-kmod-$(SPDX_VERSION)-$(SPDX_UUID)
-Creator: Person: Philipp Reisner ([email protected])
-Created: $(SPDX_DATE)
-
-PackageName: $(SPDX_PKG_NAME)
-SPDXID: SPDXRef-Package-$(SPDX_PKG_NAME)
-PackageVersion: $(SPDX_VERSION)
-PackageSupplier: Organization: LINBIT HA-Solutions GmbH
-PackageDownloadLocation: https://github.com/LINBIT/drbd
-FilesAnalyzed: false
-PackageLicenseDeclared: GPL-2.0-only
-PackageCopyrightText: <text>2001-2008, LINBIT Information Technologies GmbH
-2008-$(SPDX_YEAR), LINBIT HA-Solutions GmbH</text>
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-$(SPDX_PKG_NAME)
-endef
-
-# only call this wrapper from drbd-kmod_{sles,rhel}.spdx
-.PHONY: spdx-file
-spdx-file:
-	@echo "$$SPDX_TEMPLATE" > $(SPDX_FILE_TMP)
-
-.PHONY: drbd-kmod_rhel.spdx drbd-kmod_sles.spdx
-drbd-kmod_rhel.spdx drbd-kmod_sles.spdx:
-	@set -e; ( truncate -s0 $@.tmp; \
-		SPDX_DATE="$$(date --utc +%FT%TZ)"; \
-		SPDX_UUID="$$(cat /proc/sys/kernel/random/uuid)"; \
-		SPDX_VERSION="$(REL_VERSION)"; \
-		SPDX_YEAR="$$(date --utc +%Y)"; \
-		case "$@" in \
-			drbd-kmod_rhel.spdx) SPDX_PKG_NAME=kmod-drbd;; \
-			drbd-kmod_sles.spdx) SPDX_PKG_NAME=drbd-kmp-default;; \
-			*) false;; \
-		esac; \
-		test -n "$$SPDX_TEMPLATE"; \
-		test -n "$$SPDX_DATE"; \
-		test -n "$$SPDX_UUID"; \
-		test -n "$$SPDX_VERSION"; \
-		test -n "$$SPDX_YEAR"; \
-		$(MAKE) spdx-file SPDX_UUID="$$SPDX_UUID" \
-			SPDX_DATE="$$SPDX_DATE" \
-			SPDX_FILE_TMP="$@.tmp" \
-			SPDX_PKG_NAME="$$SPDX_PKG_NAME" \
-			SPDX_VERSION="$$SPDX_VERSION" \
-			SPDX_YEAR="$$SPDX_YEAR"; \
-		mv $@.tmp $@; )
-
-# only call this wrapper from drbd-kmod.cdx.json
-.PHONY: cdx-sub
-cdx-sub:
-	cat $(CDX_FILE).in | jq --args '.metadata.timestamp = "$(CDX_DATE)" | .metadata.component.version = "$(FDIST_VERSION)" | .metadata.component."bom-ref" = "$(PURL)" | .metadata.component.purl = "$(PURL)"' > $(CDX_FILE)
-
-.PHONY: drbd-kmod.cdx.json
-drbd-kmod.cdx.json:
-	$(MAKE) -s cdx-sub CDX_DATE="$$(date --utc +%FT%TZ)" PURL="pkg:github/LINBIT/drbd@drbd-$(FDIST_VERSION)" CDX_FILE="$@"
-	! grep -q __PLACEHOLDER__ $@
-
 # update of .filelist is forced:
 .fdist_version: FORCE
 	@test -s $@ && test "$$(cat $@)" = "$(FDIST_VERSION)" || echo "$(FDIST_VERSION)" > $@
 
 .filelist: .fdist_version FORCE
 	@$(GIT) ls-files --recurse -- ':!:.git*' $(if $(PRESERVE_DEBIAN),,':!:debian') > $@.new
+	@test -s $@.new # assert there is something in .filelist.new now
 	@mkdir -p drbd/drbd-kernel-compat/cocci_cache/
 	@find drbd/drbd-kernel-compat/cocci_cache/ -type f -not -path '*/\.*' >> $@.new
-	@test -s $@.new # assert there is something in .filelist.new now
 	@mv $@.new $@
 	@echo "./.filelist updated."
 
@@ -273,9 +214,10 @@ drbd-kmod.cdx.json:
 comma := ,
 backslash_comma := \,
 escape_comma = $(subst $(comma),$(backslash_comma),$(1))
-tgz-extra-files := \
-	.fdist_version drbd/.drbd_git_revision .filelist \
-	drbd-kmod_rhel.spdx drbd-kmod_sles.spdx drbd-kmod.cdx.json
+tgz-extra-files := .fdist_version drbd/.drbd_git_revision .filelist
+tgz-extra-files += sbom/drbd-kmod_rhel.spdx.json
+tgz-extra-files += sbom/drbd-kmod_sles.spdx.json
+tgz-extra-files += sbom/drbd-kmod.cdx.json
 tgz:
 	test -s .filelist          # .filelist must be present
 	test -n "$(FDIST_VERSION)" # FDIST_VERSION must be known
@@ -318,7 +260,7 @@ debrelease:
 tarball:
 	$(MAKE) distclean
 	$(MAKE) check-submods check_all_committed drbd/.drbd_git_revision
-	$(MAKE) drbd-kmod_rhel.spdx drbd-kmod_sles.spdx drbd-kmod.cdx.json
+	$(MAKE) -C sbom drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json drbd-kmod.cdx.json
 	$(MAKE) .filelist
 	$(MAKE) tgz
 

diff --git a/sbom/Makefile b/sbom/Makefile
@@ -0,0 +1,24 @@
+
+# we inherit some variables from our "parent" Makefile
+THIS_MAKEFILE := $(lastword $(MAKEFILE_LIST))
+$(foreach v,REL_VERSION FDIST_VERSION,$(if $($(v)),,$(error "Do not use this Makefile ($(THIS_MAKEFILE)) directly! ($(v) missing))))
+
+all: drbd-kmod.cdx.json drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json
+
+export SPDX_VERSION SPDX_DATE SPDX_YEAR SPDX_UUID SPDX_PKG_NAME
+SPDX_VERSION:=$(REL_VERSION)
+SPDX_DATE:=$(shell date --utc +%FT%TZ)
+SPDX_YEAR:=$(firstword $(subst -, ,$(SPDX_DATE)))
+drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json: SPDX_UUID:=$(shell cat /proc/sys/kernel/random/uuid)
+drbd-kmod_rhel.spdx.json: SPDX_PKG_NAME:=kmod-drbd
+drbd-kmod_sles.spdx.json: SPDX_PKG_NAME:=drbd-kmp-default
+drbd-kmod_rhel.spdx.json drbd-kmod_sles.spdx.json: FORCE
+	@rm -f $@; jq -n -f drbd-kmod.spdx.json.in > $@.tmp && mv $@.tmp $@
+
+# uses:
+# SPDX_DATE from above and FDIST_VERSION from parent Makefile
+drbd-kmod.cdx.json: FORCE
+	@rm -f $@; jq -n -f drbd-kmod.cdx.json.in > $@.tmp && mv $@.tmp $@
+
+.PHONY: FORCE
+FORCE:
diff --git a/drbd-kmod.cdx.json.in → sbom/drbd-kmod.cdx.json.in b/drbd-kmod.cdx.json.in → sbom/drbd-kmod.cdx.json.in
@@ -2,7 +2,7 @@
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
   "metadata": {
-    "timestamp": "__PLACEHOLDER__",
+    "timestamp": "\(env.SPDX_DATE)",
     "authors": [
       {
         "name": "Philipp Reisner",
@@ -16,9 +16,9 @@
     "component": {
       "type": "application",
       "name": "kmod-drbd",
-      "version": "__PLACEHOLDER__",
-      "bom-ref": "__PLACEHOLDER__",
-      "purl": "__PLACEHOLDER__",
+      "version": "\(env.FDIST_VERSION)",
+      "bom-ref": "pkg:github/LINBIT/drbd@drbd-\(env.FDIST_VERSION)",
+      "purl": "pkg:github/LINBIT/drbd@drbd-\(env.FDIST_VERSION)",
       "licenses": [
         {
           "licenses": {

diff --git a/sbom/drbd-kmod.spdx.json.in b/sbom/drbd-kmod.spdx.json.in
@@ -0,0 +1,32 @@
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "spdxVersion": "SPDX-2.3",
+  "creationInfo": {
+    "created": "\(env.SPDX_DATE)",
+    "creators": [
+      "Person: Philipp Reisner ([email protected])"
+    ]
+  },
+  "name": "drbd kernel module SBOM (software bill of materials)",
+  "dataLicense": "CC0-1.0",
+  "documentNamespace": "https://linbit.org/spdx-docs/drbd-kmod-\(env.SPDX_VERSION)-\(env.SPDX_UUID)",
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-\(env.SPDX_PKG_NAME)",
+      "copyrightText": "2001-2008, LINBIT Information Technologies GmbH\n2008-\(env.SPDX_YEAR), LINBIT HA-Solutions GmbH",
+      "downloadLocation": "https://github.com/LINBIT/drbd",
+      "filesAnalyzed": false,
+      "licenseDeclared": "GPL-2.0-only",
+      "name": "\(env.SPDX_PKG_NAME)",
+      "supplier": "Organization: LINBIT HA-Solutions GmbH",
+      "versionInfo": "\(env.SPDX_VERSION)"
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relationshipType": "DESCRIBES",
+      "relatedSpdxElement": "SPDXRef-Package-\(env.SPDX_PKG_NAME)"
+    }
+  ]
+}