T8542: Add functionality to generate SBOM file from ISO image#1164
T8542: Add functionality to generate SBOM file from ISO image#1164asklymenko wants to merge 6 commits intocurrentfrom
Conversation
Use the Syft util to generate SBOM files in both CycloneDX and SPDX format. This process includes creating a transfer disk to copy the Syft util from the host machine and copy the scan results back to the host machine.
Add make_sbom target to Makefile.
asklymenko
requested review from
c-po,
dmbaturin,
evgsentrium,
jestabro,
natali-rs1985,
sarthurdev and
sever-sever
|
👍 |
There was a problem hiding this comment.
Pull request overview
Adds a new workflow to generate SBOM artifacts (CycloneDX JSON + SPDX JSON) for a built VyOS ISO by booting/installing it in QEMU and running Syft inside the VM, then copying results back to the host via a temporary “transfer disk”.
Changes:
- Extend
scripts/check-qemu-installwith--sbom/--sbom-output-dirand implement transfer-disk creation, Syft download, in-VM SBOM generation, and host extraction. - Extend QEMU launch command generation to optionally attach the transfer disk.
- Add
make_sbomMakefile target to invoke the new SBOM generation flow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| scripts/check-qemu-install | Adds SBOM mode, creates/mounts a transfer disk, downloads Syft, runs SBOM generation in VM, and copies outputs to host. |
| Makefile | Adds make_sbom target to run check-qemu-install in SBOM mode with optional output directory. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| log.info('Downloading syft to transfer disk') | ||
| subprocess.check_call( | ||
| f'curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b {setup_mount}', | ||
| shell=True | ||
| ) |
There was a problem hiding this comment.
The host downloads Syft using curl ... | sh from the main branch. This is a supply-chain risk and is non-reproducible (the script can change at any time), and shell=True also increases risk unnecessarily. Prefer pinning an explicit Syft release version (and ideally verifying checksum/signature) and invoking the installer without a shell pipeline (or vendoring the binary as a build dependency).
Exclude the transfer directory from scan.
Apply quoting to the passed variable. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Apply suggestion, add validation that the Syft binary was copied with success. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add additional validation step to ensure that the transfer drive is unmounted successfully. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
CI integration 👍 passed! Details
|
Change summary
This change adds functionality to run the Syft utility to generate SBOM files in 2 formats (CycloneDX and SPDX).
It also adds functionality to create and mount an additional drive to transfer the Syft util from host machine to the VM and also to transfer the generated files back on the host machine.
The process is similar to our smoketests execution process. The following command could be used to start the SBOM generation process:
sudo make make_sbomor
sudo make make_sbom SBOM_OUTPUT_DIR=/home/vyos_bldIn the second case we specify the directory to copy the output files. If this parameter is not specified the build output will be stored in the same directory the process was executed from.
Example of the scan artifacts:
vyos-2026.04.20-0035-rolling-generic-amd64.iso.cdx.json
vyos-2026.04.20-0035-rolling-generic-amd64.iso.spdx.json
Types of changes
Related Task(s)
Related PR(s)
How to test / Smoketest result
Checklist: