scripts: modernize SBOM generation and workflow#20303
Conversation
|
Hi @vivekpatani. Thanks for your PR. I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Sample output from a local run > PASSES="modern_sbom" ./scripts/test.sh
Running with --race
Starting at: Mon Jun 30 13:20:59 PDT 2025
'modern_sbom' started at Mon Jun 30 13:20:59 PDT 2025
validating modern SBOM generation...
syft is already installed: 1.27.1
sbomasm is already installed locally
generating modern SBOM files for version dev
generating SPDX SBOM...
✔ Indexed file system .
✔ Cataloged contents 19be9340167c940e8dc3cbae0b85682c19973b77c6f3a30def20c6976b478d0b
├── ✔ Packages [912 packages]
├── ✔ Executables [4 executables]
├── ✔ File metadata [22 locations]
└── ✔ File digests [22 files]
SPDX SBOM generated: /var/folders/6h/5jv5cfs54v72cvvc_pvysdqw0000gn/T/tmp.EUNXl5rXEh/sbom.spdx.json
generating CycloneDX SBOM...
✔ Indexed file system .
✔ Cataloged contents 19be9340167c940e8dc3cbae0b85682c19973b77c6f3a30def20c6976b478d0b
├── ✔ Packages [912 packages]
├── ✔ Executables [4 executables]
├── ✔ File metadata [22 locations]
└── ✔ File digests [22 files]
CycloneDX SBOM generated: /var/folders/6h/5jv5cfs54v72cvvc_pvysdqw0000gn/T/tmp.EUNXl5rXEh/sbom.cdx.json
augmenting SBOM files with enhanced metadata...
augmenting SPDX SBOM...
{"level":"info","ts":1751314862.2400372,"caller":"edit/spdx_edit.go:82","msg":"SPDX error updating supplier: not supported"}
{"level":"info","ts":1751314862.2400792,"caller":"edit/spdx_edit.go:82","msg":"SPDX error updating repository: not supported"}
SPDX SBOM augmented successfully
augmenting CycloneDX SBOM...
CycloneDX SBOM augmented successfully
SBOM augmentation completed successfully
modern SBOM files generated successfully
files created:
- /var/folders/6h/5jv5cfs54v72cvvc_pvysdqw0000gn/T/tmp.EUNXl5rXEh/sbom.spdx.json
- /var/folders/6h/5jv5cfs54v72cvvc_pvysdqw0000gn/T/tmp.EUNXl5rXEh/sbom.cdx.json
validating generated SBOM files...
Validated: /var/folders/6h/5jv5cfs54v72cvvc_pvysdqw0000gn/T/tmp.EUNXl5rXEh/sbom.spdx.json
Validated: /var/folders/6h/5jv5cfs54v72cvvc_pvysdqw0000gn/T/tmp.EUNXl5rXEh/sbom.cdx.json
all SBOM files validated successfully
modern SBOM generation validation PASSED
'modern_sbom' PASSED and completed at Mon Jun 30 13:21:02 PDT 2025
SUCCESS |
jmhbnz
left a comment
There was a problem hiding this comment.
Awesome progress @vivekpatani - thanks for drafting this!
|
/ok-to-test |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted filessee 19 files with indirect coverage changes @@ Coverage Diff @@
## main #20303 +/- ##
==========================================
- Coverage 69.73% 69.70% -0.03%
==========================================
Files 449 449
Lines 38177 38177
==========================================
- Hits 26622 26613 -9
- Misses 10127 10137 +10
+ Partials 1428 1427 -1 Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
|
Hello team, gentle bump @jmhbnz @ivanvc @ahrtr @serathius |
ivanvc
left a comment
There was a problem hiding this comment.
Thanks for putting this together, @vivekpatani, great job :)
I ran scripts/generate-modern-sbom.sh v3.6.1 locally, but the output file shows UNKNOWN for our local packages both in sbom.cdx.json and sbom.spdx.json. And in sbom.spdx.json, all the dependencies show NOASSERTION for licenseDeclared and copyrightText (among other fields). I assume this is not the expected behavior, right? Unless I executed them incorrectly.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions. |
|
@ivanvc not inline but the response to the above comment:
Sorry it took so long @ahrtr @ivanvc feedback, would be appreciated. |
|
Hello, IIUC, putting syft in
two protobuf versions in one workspace → syft isn't a normal tool. our other tools ( I think the fix would be(?):
As an aside, the govulncheck failure isn't from this PR. govulncheck is installed @latest (scripts/test.sh), and it rolled from v1.3.0 (x-tools v0.44.0) to v1.4.0 (x-tools v0.46.0), which panics on a generic in |
8901a4e to
3f7f457
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ivanvc, vivekpatani The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Pls resolve the workflow pull-etcd-verify failure, thx |
3f7f457 to
48b142d
Compare
|
@ivanvc @ahrtr @serathius I tried to resolve I tried this exactly as suggested first:
Two versions of the same dep in one workspace makes The fix keeps the intent of your guidance (install via go install, version tracked by Dependabot) but moves So: agreed on |
|
/retest |
| package tools | ||
|
|
||
| import ( | ||
| _ "github.com/anchore/syft/cmd/syft" |
There was a problem hiding this comment.
I am curious why not to add this into tools/mod/tools.go? why add a new mod and file?
| - dependency-type: direct | ||
|
|
||
| - package-ecosystem: gomod | ||
| directory: /tools/sbom # syft, kept outside the go workspace |
| # tools/sbom is intentionally outside the workspace: syft pulls in deps | ||
| # that conflict with the workspace-wide versions enforced by verify-dep. |
There was a problem hiding this comment.
This isn't specific to syft, all tools defined in tools/mod have the same "problem". So we may still want to add syft in tools/mod
We should manage all tools in a consistent way. I think we have two options:
either way, we need to add syft into |
|
I was curious why the two BOM files ( For example, Also for github action components such as @vivekpatani can you please resolve this to remove the duplicated items for each dependency? |
Agreed on managing tools consistently. Quick take on the two options:
( cd tools/mod && go get github.com/anchore/syft@v1.45.1 ) && go work edit -go 1.26.3 && go work sync
grep protobuf server/go.mod # now v1.36.12-pre;
For context, tools/sbom as it stands is basically Option 1 scoped to just syft: out of the I'm happy either way. If you'd prefer a single tools module, I'll take Option 1 and validate the tool-resolution and MVS ripples. If the scoped module is acceptable, I'll keep it. What's your preference? @ahrtr @ivanvc |
Good catch, confirmed it. The dir scan catalogs each module separately, so a dep shared by N modules shows up N times. SPDX is 628 packages but only 115 unique name@version (82% redundant), CDX is the same (627 to 114). cobra is 6x, actions/checkout is 6x, and the test-only deps (testify, go-spew, yaml.v3) are 10x since they sit in all 10 modules. Two ways to fix it:
I'm leaning toward (1) for this PR since it's the smaller change and preserves determinism, with (2) as a possible follow-up. Sound good? @ahrtr |
Can you explain why there is a wider blast radius?
I'd defer to you and @ivanvc to work out the best solution. We need to setup the requirement first,
These seem workaround solutions. Does syft have native way to handle this? |
It is the proto toolchain. WT=$(mktemp -d); git worktree add -q --detach "$WT" HEAD
GOWORK=off go -C "$WT/tools/mod" get github.com/anchore/syft@v1.45.1
GOBIN="$WT/bin" GOWORK=off go -C "$WT/tools/mod" install google.golang.org/protobuf/cmd/protoc-gen-go
"$WT/bin/protoc-gen-go" --version # v1.36.11-devel (repo's *.pb.go are stamped v1.36.11)
git worktree remove --force "$WT"
No, we do not need to. Tools are build-time only and never ship, so their deps do not have to match the production modules. That is exactly what makes isolating syft acceptable: its deps conflict with the workspace, but since tool deps are not required to be consistent with production, keeping it out of
No. The BOM should describe what ships, not the build tools, so tool deps are excluded (the script already excludes
Not via a flag. syft has no dedup/merge option, and
The binary scan still captures every shipped dep (grpc, protobuf, bbolt, raft, zap, otel) and drops the test-only and CI deps that do not ship. |
OK.
Wouldn't that have the platform-dependent problem introduced at build time due to build tag such as I see jq is recommended in anchore/syft#4324 (comment), so I am not against your previous proposal of using jq. |
about the platform bit, pinning the build ( But your second point is a valid concern, a binary scan drops the test/e2e deps ( Comparison and raw list are in the gist. |
|
/retest |
1 similar comment
|
/retest |
- syft scans the source tree (dir:.) and emits SPDX and CycloneDX SBOMs - jq collapses syft's per-module duplicate packages to one entry per purl, repointing SPDX relationships and CycloneDX dependencies - jq augments document metadata and normalizes etcd module versions so the committed SBOMs change only when dependencies change Dependabot); its dependency set conflicts with the workspace - make verify-modern-sbom / fix-modern-sbom to check and regenerate - address: etcd-io#18902 Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
Is this dedup process something that other projects do? Regarding the issue with the tools directory. I suggested removing I agree that we should have a better way of managing the tools. But maybe rather than introducing a new module in this PR. Could we just accept installing the tool with a fixed version from the script? Adding a new tool pattern may make it more difficult to remove it later. |
jqtransforms add document metadata and fix UNKNOWN versions for local modules.bom_pass): makeverify-modern-sbomdiffs against committed files; makefix-modern-sbomregenerates.