Merge kernel and zfs SBOM with eve SBOM

This is a workaround for Linuxkit limitation. Currently Linuxkit ignores *.spdx.json files in kernel container so kernel SBOM is not a part of final SBOM. In the near future SBOM for any container will be a part of image metadata and manual steps to run syft won't be required Signed-off-by: Mikhail Malyshev <[email protected]>
lf-edge · Nov 11, 2023 · 8e2bdcb · 8e2bdcb
1 parent ffe54d0
commit 8e2bdcb
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -664,7 +664,11 @@ $(SBOM): $(ROOTFS_TAR) | $(INSTALLER)
 	# this all can go away, and we can read the rootfs.tar
 	# see https://github.com/anchore/syft/issues/1400
 	tar xf $< -C $(TMP_ROOTDIR) --exclude "dev/*"
-	# kernel-sbom.spdx.json is now generated in eve-kernel repo and extracted from kernel docker image into rootfs by linuxkit
+	# kernel-*.spdx.json are now generated in eve-kernel repo and are stored in docker  image.
+	# Manually extract them to unpacked rootfs.
+	# Later linuxkit will get a support for SBOM in OCI metadata and this step as well as manual run of
+	# syft will be deprecated
+	docker export $(shell docker create $(KERNEL_TAG) create) | tar xv -C $(TMP_ROOTDIR) --wildcards --no-anchored '*.spdx.json'
 	docker run -v $(TMP_ROOTDIR):/rootdir:ro -v $(CURDIR)/.syft.yaml:/syft.yaml:ro $(SYFT_IMAGE) -c /syft.yaml --base-path /rootdir /rootdir > $@
 	rm -rf $(TMP_ROOTDIR)
 	$(QUIET): $@: Succeeded