Skip to content

Fix for missing SBOM in the final image installed using ISO image#579

Open
srmungar wants to merge 5 commits into
mainfrom
iso-sbom-fix
Open

Fix for missing SBOM in the final image installed using ISO image#579
srmungar wants to merge 5 commits into
mainfrom
iso-sbom-fix

Conversation

@srmungar
Copy link
Copy Markdown
Contributor

@srmungar srmungar commented May 26, 2026

…O image as well.

Merge Checklist

All boxes should be checked before merging the PR

  • The changes in the PR have been built and tested
  • Documentation has been updated to reflect the changes (or no doc update needed)
  • Ready to merge

Description

Any Newly Introduced Dependencies

How Has This Been Tested?

Copilot AI review requested due to automatic review settings May 26, 2026 02:35
@srmungar srmungar requested a review from a team as a code owner May 26, 2026 02:35
@srmungar srmungar changed the title Fixing the code to include SBOM in the final image installed using IS… Fixing for missing SBOM in the final image installed using ISO image May 26, 2026
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates SBOM generation during image composition so that ISO/live-install flows also end up with an SPDX SBOM embedded in the final filesystem, even when FullPkgListBom isn’t present.

Changes:

  • Switch package DB queries to include package name/version/arch for both RPM and DEB targets.
  • Add a fallback path that constructs a minimal SBOM package list directly from the installed package database when FullPkgListBom is empty.
  • Write the SBOM to a timestamped filename and also publish/copy it to the canonical spdx_manifest.json; SBOM generation/copy failures are now treated as fatal.

Comment thread internal/image/imageos/imageos.go
Comment on lines 2029 to 2034
pkgType := imageOs.chrootEnv.GetTargetOsPkgType()
sBomFNm := rpmutils.GenerateSPDXFileName(template.GetImageName())
cmd := "rpm -qa"
cmd := "rpm -qa --qf '%{NAME}\t%{VERSION}-%{RELEASE}\t%{ARCH}\n'"
if pkgType == "deb" {
cmd = "dpkg -l | awk '/^ii/ {print $2}'"
cmd = "dpkg-query -W -f='${Package}\t${Version}\t${Architecture}\\n'"
sBomFNm = debutils.GenerateSPDXFileName(template.GetImageName())
Comment thread internal/image/imageos/imageos.go Outdated
Comment on lines +2102 to +2104
URL: manifest.DefaultLicense,
License: manifest.DefaultLicense,
Origin: manifest.DefaultLicense,
Comment thread internal/image/imageos/imageos.go
Comment thread internal/image/imageos/imageos.go
@srmungar srmungar changed the title Fixing for missing SBOM in the final image installed using ISO image Fix for missing SBOM in the final image installed using ISO image May 26, 2026
@arodage
Copy link
Copy Markdown
Contributor

arodage commented May 27, 2026

…O image as well.

Merge Checklist

All boxes should be checked before merging the PR

  • The changes in the PR have been built and tested
  • Documentation has been updated to reflect the changes (or no doc update needed)
  • Ready to merge

Description

Any Newly Introduced Dependencies

How Has This Been Tested?

Template needs to be filled.

arodage
arodage reviewed May 27, 2026
View reviewed changes
Comment thread internal/image/imageos/imageos.go

// In live ISO install flows template-dump.yaml does not include FullPkgListBom,
// so build a minimal SBOM package list directly from the installed package DB.
if len(finalPkgs) == 0 {
Copy link
Copy Markdown
Contributor

@arodage arodage May 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to add unit test for this.

You may add the following to TestGenerateSBOM():

{
    name:    "ISO install fallback - empty FullPkgListBom",
    pkgType: "deb",
    mockCommands: []shell.MockCommand{
        {
            Pattern: `dpkg -l \| awk '/\^ii/ \{print \$2\}'`,
            Output:  "curl\nwget\nvim",
            Error:   nil,
        },
    },
    downloadedPkgs:   nil, // simulates ISO install where FullPkgListBom is empty
    expectError:      false,
    expectedPkgCount: 3, // all 3 installed packages should appear via fallback
},

rpandya28 and others added 3 commits May 27, 2026 08:32
@rpandya28
fix: call generateSBOM from InstallInitrd for ISO builds
b5b6d05 
generateSBOM() was only called from InstallImageOs (RAW/disk builds).
ISO builds go through InstallInitrd, so spdx_manifest.json was never
written to tmp/ — causing CopySBOMToImageBuildDir and CopySBOMToChroot
to warn 'SBOM file not found' and skip the copy.

Add a generateSBOM() call at the end of InstallInitrd, after
postImageOsInstall, so ISO and initrd image builds also produce the
SBOM file before isomaker/initrdmaker try to copy it.
@srmungar
adding sbom tests
c7f51d3
@srmungar
updated sbom test
c2d1c58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arodage arodage arodage left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@srmungar @arodage @rpandya28