[vigiles.bbclass] Add components to make SBOM NTIA minimum elements c…

…ompliant - add dependencies as individual packages in SBOM - add a comment indicating the package is "Dependency only" and the type of dependency - add component_type list indicating package is a runtime and/or build and/or component - bump manifest version to 1.17
TimesysGit · Jun 15, 2023 · 0d8b5ac · 0d8b5ac
1 parent 5f8a056
commit 0d8b5ac
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 25 deletions.
diff --git a/classes/vigiles.bbclass b/classes/vigiles.bbclass
@@ -185,7 +185,7 @@ python do_collect_runtime_deps() {
                 rdeps.add(dep_pkg)
 
             dep_dict = {
-                'pn': package,
+                'pn': pn,
                 'deps': list(rdeps)
                 }
 
@@ -228,17 +228,6 @@ python do_vigiles_pkg() {
     pn = d.getVar('PN')
     bpn = d.getVar('BPN')
 
-    suffixes = d.getVar('SPECIAL_PKGSUFFIX').split()
-    prefixes = ['nativesdk-']
-    substrings = ['-cross-', '-source-']
-
-    if (pn.endswith(tuple(suffixes)) or
-        pn.startswith(tuple(prefixes)) or
-        any(substr in pn for substr in substrings)):
-        bb.debug(1, "Skipping extended PN %s [ %s ]" % (pn, bpn))
-        return
-    elif pn != bpn:
-        bb.debug(2, "Keeping extended PN %s [ %s ]" % (pn, bpn))
 
     bb.build.exec_func("do_tsmeta_pkgvars", d)
 
@@ -525,11 +514,54 @@ def _get_packages(d, pn_list):
             if not include_closed_license and indict.get(pn, {}).get("license", "").lower() == "closed":
                 continue
             dict_out[pn] = indict.get(pn, {})
+            dict_out[pn]["component_type"] = ["component"]
     return dict_out
 
 def vigiles_image_collect(d):
     from datetime import datetime
 
+    def add_dependencies(key):
+        bdeps = tsmeta_read_dictname(d, "build_deps", key)
+        include_deps_as_pkgs(bdeps.get("deps", []), "build")
+        rdeps = tsmeta_read_dictname(d, "runtime_deps", key)
+        include_deps_as_pkgs(rdeps.get("deps", []), "runtime")
+
+        dict_out['packages'][key].update({
+            'package_supplier': d.getVar('SPDX_SUPPLIER'),
+            'dependencies': {
+                'build': bdeps.get('deps', []),
+                'runtime': rdeps.get('deps', []),
+            },
+
+        })
+
+    def include_deps_as_pkgs(deps, component_type):
+        dependency_only_comment = {
+            "build": "Dependency Only; This component was identified as a build dependency by Vigiles",
+            "runtime": "Dependency Only; This component was identified as a runtime dependency by Vigiles",
+            "build&runtime": "Dependency Only; This component was identified as a build and runtime dependency by Vigiles",
+        }
+        for dep in deps:
+            if dep not in dict_out["packages"].keys():
+                dep_pn = tsmeta_read_dictname(d, f'{component_type}_deps', dep).get("pn", dep)
+                dict_out['packages'][dep] = tsmeta_read_dictname(d, 'cve', dep_pn)
+                dict_out['packages'][dep]["comment"] = dependency_only_comment[component_type]
+                dict_out['packages'][dep]["component_type"] = [component_type]
+                add_dependencies(dep)
+            else:
+                component_type_list = dict_out["packages"][dep].get("component_type", [])
+                if not component_type_list:
+                    continue
+                if component_type and component_type not in component_type_list:
+                    dict_out["packages"][dep]["component_type"].append(component_type)
+                if "component" not in component_type_list:
+                    if "build" in component_type_list and "runtime" in component_type_list:
+                        dict_out['packages'][dep]["comment"] = dependency_only_comment["build&runtime"]
+                    elif "build" in component_type_list:
+                        dict_out['packages'][dep]["comment"] = dependency_only_comment["build"]
+                    elif "runtime" in component_type_list:
+                        dict_out['packages'][dep]["comment"] = dependency_only_comment["runtime"]
+
     sys_dict = vigiles_get_build_dict(d)
 
     backfill_list = d.getVar('VIGILES_BACKFILL', True).split()
@@ -581,20 +613,11 @@ def vigiles_image_collect(d):
     dict_out.update(_get_extra_packages(d))
     _filter_excluded_packages(d, dict_out['packages'])
     # Add package supplier
-    for key in dict_out['packages'].keys():
-        bdep_fpath = tsmeta_get_type_path(d, "build_deps", key)
-        bdeps = tsmeta_read_json(d, bdep_fpath)
+    pkg_list = list(dict_out['packages'].keys())
 
-        rdep_fpath = tsmeta_get_type_path(d, "runtime_deps", key)
-        rdeps = tsmeta_read_json(d, rdep_fpath)
+    for key in pkg_list:
+        add_dependencies(key)
 
-        dict_out['packages'][key].update({
-            'package_supplier': d.getVar('SPDX_SUPPLIER'),
-            'dependencies': {
-                'build': bdeps.get('deps', []),
-                'runtime': rdeps.get('deps', []),
-            },
-        })
     return dict_out
 
 python do_vigiles_image() {

diff --git a/conf/vigiles.conf b/conf/vigiles.conf
@@ -9,7 +9,7 @@
 #
 ###########################################################
 
-VIGILES_MANIFEST_VERSION = "1.16"
+VIGILES_MANIFEST_VERSION = "1.17"
 VIGILES_MANIFEST_NAME_MAX_LENGTH = "256"
 VIGILES_MANIFEST_SUFFIX = "-cve.json"
 VIGILES_REPORT_SUFFIX = "-report.txt"