Fix SBOM generation inconsistency, take 2 #66

damdo · 2023-10-22T10:10:22Z

Builds on top of #65

Fixes #64
by adopting approach 1.

Seems to be working well for all the commands I tested: sbom, update, overwrite (full,gaf).

Testing:

$ make gaf 2>&1 >/dev/null
$ unzip -p /tmp/disk.gaf sbom.json | jq -r '.sbom_hash'
23c08ae3b4c009e179f46fe8e812617771c39d1540042d79c11848015dec86b9

$ make sbom | jq -r '.sbom_hash'
23c08ae3b4c009e179f46fe8e812617771c39d1540042d79c11848015dec86b9

$ make overwrite 2>&1 >/dev/null # creates a full.img
$ make test & # launches a qemu test machine from the full.img at (192.168.64.2)
$ curl -sL -H 'Accept: application/json' "http://gokrazy:[email protected]/" | jq -r '.SBOMHash'
23c08ae3b4c009e179f46fe8e812617771c39d1540042d79c11848015dec86b9

$ make update
$ curl -sL -H 'Accept: application/json' "http://gokrazy:[email protected]/" | jq -r '.SBOMHash'
23c08ae3b4c009e179f46fe8e812617771c39d1540042d79c11848015dec86b9

$ vim config.json
$ git diff config.json
+++ b/config.json
@@ -7,7 +7,8 @@
     },
     "Packages": [
         "github.com/gokrazy/serial-busybox",
-        "github.com/gokrazy/breakglass"
+        "github.com/gokrazy/breakglass",
+        "github.com/gokrazy/hello"

$ make sbom | jq -r '.sbom_hash'
1ab7db66f5b0a0d3253d3e104c0b375e7ae4af7449bae635c7554e0b0b596e21

$ make update
$ curl -sL -H 'Accept: application/json' "http://gokrazy:[email protected]/" | jq -r '.SBOMHash'
1ab7db66f5b0a0d3253d3e104c0b375e7ae4af7449bae635c7554e0b0b596e21

stapelberg

Looks good overall!

internal/gok/overwrite.go

stapelberg · 2023-10-22T11:24:41Z

This breaks tests, though. Can you take a look please?

damdo · 2023-10-22T11:25:43Z

Yes I was just looking at it.
It throws:

gokrpacker_test.go:107: [overwrite --root=root.squashfs --boot=boot.fat]: open /tmp/TestGokrPacker3940063376/001/hello/builddir/github.com/gokrazy/gokrazy/go.mod: no such file or directory

damdo · 2023-10-24T07:14:30Z

@stapelberg The issue was caused by the fact that GenerateSBOM() looks for go.mod files in builddir, which are not populated early in the gok processing for newly created instances.

Thus I changed it slighly by holding an untouched copy of the config file in the pack struct and use that as a reference to GenerateSBOM() later when it is needed.

damdo mentioned this pull request Oct 22, 2023

SBOM inconsistency gok sbom vs gok overwrite/update #64

Closed

stapelberg requested changes Oct 22, 2023

View reviewed changes

internal/gok/overwrite.go Outdated Show resolved Hide resolved

damdo force-pushed the fix-sbom-generation-inconsistency-take-2 branch from 08793d6 to 796b7ff Compare October 22, 2023 11:19

stapelberg approved these changes Oct 22, 2023

View reviewed changes

damdo force-pushed the fix-sbom-generation-inconsistency-take-2 branch 3 times, most recently from a2c4879 to 8e2e11b Compare October 24, 2023 07:01

fix sbom generation inconsistency, take 2

2f08163

damdo force-pushed the fix-sbom-generation-inconsistency-take-2 branch from 8e2e11b to 2f08163 Compare October 24, 2023 07:11

stapelberg approved these changes Oct 25, 2023

View reviewed changes

stapelberg merged commit 1c3069c into gokrazy:main Oct 25, 2023
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix SBOM generation inconsistency, take 2 #66

Fix SBOM generation inconsistency, take 2 #66

damdo commented Oct 22, 2023 •

edited

Loading

stapelberg left a comment

stapelberg commented Oct 22, 2023

damdo commented Oct 22, 2023

damdo commented Oct 24, 2023

Fix SBOM generation inconsistency, take 2 #66

Fix SBOM generation inconsistency, take 2 #66

Conversation

damdo commented Oct 22, 2023 • edited Loading

stapelberg left a comment

Choose a reason for hiding this comment

stapelberg commented Oct 22, 2023

damdo commented Oct 22, 2023

damdo commented Oct 24, 2023

damdo commented Oct 22, 2023 •

edited

Loading