SBOM embedding machinery with initial tests

Sbom is turned off by default in this PR and is going to be enabled by separate commit
9e873d00cc976a9ad58bd47615de2c1911bb77a5

4 files changed, 82 insertions, 5 deletions

diff --git a/build/conf/license.conf b/build/conf/license.conf
index ae2d981396..ffb01e93f9 100644
--- a/build/conf/license.conf
+++ b/build/conf/license.conf
@@ -426,6 +426,11 @@ macro _DONT_REQUIRE_LICENSE() {
 macro LICENSE(Flags...) {
     SET(LICENSE_EXPRESSION $Flags)
     SET(LICENSE_NAMES $Flags)
+    # TODO(YMAKE-1136) avoid abusing LICENSE
+    # NOTICE: final value of MODVER might not be set yet if VERSION macro is called after LICENSE. Var expansion is
+    #         escaped here to prevent eager value substitution by SET but allow delayed value substitution when
+    #         adding linking SBOM data command to graph.
+    SET_APPEND(_SBOM_INFO_GLOBAL "path=${MODDIR};ver=\${join=.:MODVER};lang=${MODULE_LANG}")
 }
 
 ### @usage LICENSE_RESTRICTION(ALLOW_ONLY|DENY LicenseProperty...)
diff --git a/build/conf/linkers/ld.conf b/build/conf/linkers/ld.conf
index cf162a0db4..4fc8b1eb9c 100644
--- a/build/conf/linkers/ld.conf
+++ b/build/conf/linkers/ld.conf
@@ -203,7 +203,7 @@ REAL_LINK_EXE_CMDLINE+=\
     $LINK_SCRIPT_EXE_FLAGS \
     $CXX_COMPILER \
     $_LD_SRCS_GLOBALS \
-    $VCS_C_OBJ $AUTO_INPUT -o $TARGET \
+    $VCS_C_OBJ $_EXTRA_OBJS $AUTO_INPUT -o $TARGET \
     $_EXE_FLAGS \
     $_PROCESS_WHOLE_ARCHIVE_SCRIPT \
     $_LD_ENV_STYLE
@@ -230,7 +230,7 @@ REAL_LINK_EXEC_DYN_LIB_CMDLINE+=\
     $LINK_DYN_LIB_FLAGS \
     $CXX_COMPILER \
     $_LD_SRCS_GLOBALS \
-    $VCS_C_OBJ $AUTO_INPUT -o $TARGET \
+    $VCS_C_OBJ $_EXTRA_OBJS $AUTO_INPUT -o $TARGET \
     $_EXEC_SHARED_FLAG \
     $_SONAME_FLAG \
     $_EXE_FLAGS \
@@ -254,7 +254,7 @@ REAL_LINK_DYN_LIB_CMDLINE+=\
     $LINK_DYN_LIB_FLAGS \
     $CXX_COMPILER \
     $_LD_SRCS_GLOBALS \
-    $VCS_C_OBJ $AUTO_INPUT -o $TARGET \
+    $VCS_C_OBJ $_EXTRA_OBJS $AUTO_INPUT -o $TARGET \
     $_SHARED_FLAG \
     $_SONAME_FLAG \
     $_EXE_FLAGS \
@@ -276,10 +276,13 @@ otherwise {
 DWARF_COMMAND=$_DWARF_COMMAND
 
 _REAL_LINK_EXE=$REAL_LINK_EXE_IMPL($_WHOLE_ARCHIVE_PEERS_VALUE)
+_EXTRA_OBJS=
+_GENERATE_EXTRA_OBJS=
 
 _LINK_EXE=
 _LINK_EXE+=$GENERATE_MF
 _LINK_EXE+=&& $GENERATE_VCS_C_INFO_NODEP
+_LINK_EXE+=&& $_GENERATE_EXTRA_OBJS
 _LINK_EXE+=&& $COPY_PROFILE_RUNTIME
 _LINK_EXE+=&& $REAL_LINK_EXE
 _LINK_EXE+=&& $DWARF_COMMAND
@@ -289,6 +292,7 @@ _LINK_EXE+=&& $PACK_IOS_CMD
 _LINK_DYN_LIB=
 _LINK_DYN_LIB+=$GENERATE_MF
 _LINK_DYN_LIB+=&& $GENERATE_VCS_C_INFO_NODEP
+_LINK_DYN_LIB+=&& $_GENERATE_EXTRA_OBJS
 _LINK_DYN_LIB+=&& $COPY_PROFILE_RUNTIME
 _LINK_DYN_LIB+=&& $REAL_LINK_DYN_LIB
 _LINK_DYN_LIB+=&& $DWARF_COMMAND
@@ -306,6 +310,7 @@ LINK_DYN_LIB=$_LINK_DYN_LIB
 LINK_EXEC_DYN_LIB=\
     $GENERATE_MF && \
     $GENERATE_VCS_C_INFO_NODEP && \
+    $_GENERATE_EXTRA_OBJS && \
     $REAL_LINK_EXEC_DYN_LIB && \
     $DWARF_COMMAND && \
     $LINK_ADDITIONAL_SECTIONS_COMMAND
diff --git a/build/scripts/link_sbom.py b/build/scripts/link_sbom.py
new file mode 100644
index 0000000000..8b40850590
--- /dev/null
+++ b/build/scripts/link_sbom.py
@@ -0,0 +1,66 @@
+import argparse
+import json
+import os
+
+
+def parse_kv_arr(val):
+    res = {}
+    for kv in val.split(';'):
+        k, v = kv.split('=')
+        res[k] = v
+    return res
+
+
+def deduce_name(path):
+    name = os.path.basename(path)
+    for prefix in ['contrib/libs/', 'contrib/python/py2/', 'contrib/python/py3/', 'contrib/python/']:
+        if path.startswith(prefix):
+            name = path[len(prefix):].replace('/', '-')
+            break
+    return name
+
+
+def parse_componenet(component):
+    props = parse_kv_arr(component)
+    path = props['path']
+    ver = props['ver']
+
+    res = {}
+    res['type'] = 'library'
+    res['name'] = deduce_name(path)
+    res['version'] = ver
+    res["properties"] = [
+        {'name': 'arcadia_path', 'value': path},
+        {'name': 'language', 'value': props['lang']}
+    ]
+    return res
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Generate SBOM datea from used contribs info')
+    parser.add_argument('-o', '--output', type=argparse.FileType('w', encoding='UTF-8'), help='resulting SBOM file')
+    parser.add_argument('--vcs-info', type=argparse.FileType('r', encoding='UTF-8'), help='VCS information file')
+    parser.add_argument('libinfo', metavar='N', type=str, nargs='*', help='libraries info for components section')
+
+    args = parser.parse_args()
+
+    vcs = json.load(args.vcs_info)
+
+    res = {}
+    res['$schema'] = "http://cyclonedx.org/schema/bom-1.5.schema.json"
+    res["bomFormat"] = "CycloneDX"
+    res["specVersion"] = "1.5"
+    res["version"] = 1
+    res["components"] = [parse_componenet(lib) for lib in args.libinfo]
+    res["properties"] = [
+        {'name': 'commit_hash', 'value': vcs['ARCADIA_SOURCE_HG_HASH']}
+    ]
+    if vcs.get('DIRTY', '') == 'dirty':
+        res["properties"].append({'name': 'has_uncommited_changes', 'value': True})
+
+    json.dump(res, args.output)
+    args.output.close()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/build/ymake.core.conf b/build/ymake.core.conf
index afa1080feb..82d663922c 100644
--- a/build/ymake.core.conf
+++ b/build/ymake.core.conf
@@ -557,7 +557,7 @@ module GEN_LIBRARY: _BARE_UNIT {
 ### The base of all LIBRARY/PROGRAM modules describing common logic for all modules.
 ### To avoid surprises, all buildable modules are better to be inherited from it or its descendants.
 module _BASE_UNIT: _BARE_UNIT {
-    .GLOBAL=_FBS_NAMESPACE_MAP
+    .GLOBAL=_FBS_NAMESPACE_MAP _SBOM_INFO
 
     PEERDIR_TAGS=CPP_PROTO CPP_FBS CPP_ROSMSG H_IDL PY2 PY2_NATIVE YQL_UDF_STATIC __EMPTY__ RESOURCE_LIB DLL_LIB
 
@@ -4258,11 +4258,12 @@ macro NEED_REVIEW(Flags...) {
     ENABLE(UNUSED_MACRO)
 }
 
+MODVER=unknown
 ### @usage: VERSION(Args...)
 ###
 ### Specify version of a module. Currently unused by build system, only informative.
 macro VERSION(Flags...) {
-    ENABLE(UNUSED_MACRO)
+    SET(MODVER ${Flags})
 }
 
 DATAWORK_SCHEEME_EXPORT_FLAGS=