[Bug 2077105] Re: cloud-images do not produce sboms

Robby Pocase 2077105 at bugs.launchpad.net
Mon Nov 11 12:44:17 UTC 2024 

note that this doesn't preclude individual clouds from providing an
option for pulling this information before the longer term solution is
available. aws hasn't decided on how to proceed yet, but i suspect we
may provide an option e.g. via s3.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2077105

Title:
  cloud-images do not produce sboms

Status in cloud-images:
  In Progress
Status in livecd-rootfs package in Ubuntu:
  New
Status in livecd-rootfs source package in Focal:
  Fix Released
Status in livecd-rootfs source package in Jammy:
  Fix Released
Status in livecd-rootfs source package in Noble:
  Fix Released

Bug description:
  cloud images are not currently producing spdx formatted SBOMs equally.
  Some builds do produce sboms continuously.

  all cloud images must produce SBOMs, across all Suites and products.

  # REQUIREMENTS #

  * Current calls to create_manifest in livecd-rootfs/live-build/functions must not break
  * sbom generation must only be done for ubuntu-cpc project.

  # IMPACT #

  * will only affect `ubuntu-cpc` project
  * will add the creation of a new file
  * the SBOM requirement is part of Canonical's SSDLC efforts as well as partner contracts (multiple partners are requiring SBOMs for each generated artifact)

  # TEST PLAN #
  * test all the ubuntu-cpc livecd-rootfs only hooks and series. ensure that an spdx formatted sbom, manifest, and filelist is generated and saved
  * test non-ubuntu-cpc hook and make sure that nothing is generated (check for calls of create_manifest. if they aren't even calling it, then it's safe)
  * test private ubuntu-cpc hooks. ensure that current calls to create_manifest are not broken
  * test buildd builds to ensure no manifest is generated and no error is raised.

  # POSSIBLE REGRESSIONS / WHERE PROBLEMS COULD OCCUR #
  * any hook calling create_manifest is at risk if there is an issue with create_manifest
      * outside CPC specific hooks, the only build calling create_manifest is `buildd`. however this is not in the `ubuntu-cpc` project so it should skip the sbom generation.
  * any build where access to the snapstore is restricted, as this requires a snap
      * NOTE: launchpad livefs builds have access to the snapstore

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/2077105/+subscriptions

More information about the foundations-bugs mailing list