[Bug 2077105] Re: cloud-images do not produce sboms

Cody Shepherd 2077105 at bugs.launchpad.net
Thu Nov 7 15:17:06 UTC 2024 

> Does the solution to this bug include making the SBOMs public @
https://cloud-images.ubuntu.com/ ?

Not exactly. The plan is for SBOMs to be available at the org level for
a variety of artifacts as part of the 25.04 cycle. So SBOMs for cloud
images would be gotten from the same place that e.g. SBOMs for charms
would be gotten. That place would not be cloud-images.ubuntu.com.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2077105

Title:
  cloud-images do not produce sboms

Status in cloud-images:
  In Progress
Status in livecd-rootfs package in Ubuntu:
  New
Status in livecd-rootfs source package in Focal:
  Fix Released
Status in livecd-rootfs source package in Jammy:
  Fix Released
Status in livecd-rootfs source package in Noble:
  Fix Released

Bug description:
  cloud images are not currently producing spdx formatted SBOMs equally.
  Some builds do produce sboms continuously.

  all cloud images must produce SBOMs, across all Suites and products.

  # REQUIREMENTS #

  * Current calls to create_manifest in livecd-rootfs/live-build/functions must not break
  * sbom generation must only be done for ubuntu-cpc project.

  # IMPACT #

  * will only affect `ubuntu-cpc` project
  * will add the creation of a new file
  * the SBOM requirement is part of Canonical's SSDLC efforts as well as partner contracts (multiple partners are requiring SBOMs for each generated artifact)

  # TEST PLAN #
  * test all the ubuntu-cpc livecd-rootfs only hooks and series. ensure that an spdx formatted sbom, manifest, and filelist is generated and saved
  * test non-ubuntu-cpc hook and make sure that nothing is generated (check for calls of create_manifest. if they aren't even calling it, then it's safe)
  * test private ubuntu-cpc hooks. ensure that current calls to create_manifest are not broken
  * test buildd builds to ensure no manifest is generated and no error is raised.

  # POSSIBLE REGRESSIONS / WHERE PROBLEMS COULD OCCUR #
  * any hook calling create_manifest is at risk if there is an issue with create_manifest
      * outside CPC specific hooks, the only build calling create_manifest is `buildd`. however this is not in the `ubuntu-cpc` project so it should skip the sbom generation.
  * any build where access to the snapstore is restricted, as this requires a snap
      * NOTE: launchpad livefs builds have access to the snapstore

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/2077105/+subscriptions

More information about the foundations-bugs mailing list