AlmaLinux OS SBOM data management utilities
These utilities consist in:
- AlmaLinux SBOM CLI: This utility is used to create SBOM records for artifacts created with the AlmaLinux Build System. It generates SBOM records for Builds and Packages.
- AlmaLinux Git Notarization Tool: This utility allows to manually notarize AlmaLinux git sources using the ImmudbWrapper.
Requirements
- python >= 3.9
- requests >= 2.20.0
- dataclasses >= 0.8
- cyclonedx-python-lib >= 2.7.1
- packageurl-python >= 0.10.3
- GitPython == 3.1.29
- immudb_wrapper >= 0.1.4
Getting started
- Create a Python Virtual Environment:
python3.9 -m venv env
- Activate the Virtual Environment:
source env/bin/activate
- Install dependencies:
pip install .
Using the AlmaLinux SBOM CLI
The AlmaLinux OS SBOM CLI accepts the following arguments:
- output-file: The file you want to save the generated SBOM to. If not provided, the resulting SBOM is printed to stdout
- file-format: The SBOM type and file format you want to generate. Either CycloneDX or SPDX, although right now we only support the CycloneDX format. The output format you want to use, either JSON or XML
- build-id: The Build id you want to generate the SBOM for
- rpm-package-hash: The Immudb hash of the package you want to generate the SBOM for
- albs-url: The URL of the AlmaLinux Build System, if different from the production one, https://build.almalinux.org
- immudb-username: The immudb username, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-password: The immudb password, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-database: The immudb database name, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-address: The immudb host address, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-public-key-file: (Optional) Path of the public key to use for authenticating requests, must be provided either by setting the environmental variable or by using this option
Note that you have to either provide a build-id or an rpm-package-hash
Creating an SBOM of a Build in JSON format
python alma_sbom.py --file-format cyclonedx-json --build-id 4372
Creating an SBOM of a package in XML format
python alma_sbom.py --file-format cyclonedx-xml --rpm-package-hash b00d871e204ca8cbcae72c37c53ab984fdadc3846c91fb35c315335adfe0699b
Using the AlmaLinux Git Notarization Tool
When importing git sources from CentOS, these are notarizared using Immudb, however, there are corner cases where these sources can't be notarized.
For this reason, this tool has been created in order to allow AlmaLinux developers to manually notarize AlmaLinux sources that couldn't be notarized at import time.
To summarize what the tool does:
- It checks whether an AlmaLinux git source's commit has a git tag assigned according to the AlmaLinux tagging conventions
- If this tag is "modified" according to the AlmaLinux tagging conventions, then the tool will try to find a matching tag in a corresponding upstream tag
- If the matching tag is found, the tool will authenticate its commit and take its Immudb hash if found. This hash will be added as an attribute of an AlmaLinux source Immudb record
- If the matching tag/commit is not notarized, the tool can notarize it and then use that hash as an attribute when notarizing the AlmaLinux source
- If no upstream matching tag can be found, the tool allows notarizing the AlmaLinux source without having a notarized upstream corresponding tag
The AlmaLinux Git Notarization Tool accepts the following arguments:
- immudb-username: The immudb username, must be provided either by setting the environmental variable or by using this option to notarize sources
- immudb-password: The immudb password, must be provided either by setting the environmental variable or by using this option to notarize sources
- immudb-database: The immudb database name, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-address: The immudb host address, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-public-key-file: (Optional) Path of the public key to use for authenticating requests, must be provided either by setting the environmental variable or by using this option
- local-git-repo: The path to a local AlmaLinux git source repository. If not provided, uses the current working directory
- notarize-without-upstream-hash: Use this option if you want to force the notarization of an AlmaLinux commit even when there's no matched upstream tag
- notarize-upstream-tag: Use this option if you want to force the notarization of an upstream tag before notarizing an AlmaLinux source
- notarize-without-imported-source-notarization: Use this option if you want to force the notarization of an upstream tag without an imported source notarization
- debug: This option will make the tool to display debug information while running, which could be useful when diagnosing a problem in the tool
There are no mandatory arguments to pass (unless strictly required to force a notarization), if you are currently in a local clone of an AlmaLinux source, you can run python /path/to/git_notarize.py.
If you want to specify the folder, you should run python /path/to/git_notarize.py --local-git-repo <path to local copy of a git repo>.
Note that this tool is meant for AlmaLinux developers that have write permissions into git.almalinux.org and that have the AlmaLinux Immudb credentials required to notarize artifacts on behalf of AlmaLinux
Contributing to Alma SBOM
Any question? Found a bug? File an issue.
Do you want to contribute with source code?
- Fork the repository on GitHub
- Create a new feature branch
- Write your change
- Submit a pull request