SBOM embedding machinery with initial tests

Sbom is turned off by default in this PR and is going to be enabled by separate commit 9e873d00cc976a9ad58bd47615de2c1911bb77a5
author: svidyuk <svidyuk@yandex-team.com> 2024-02-26 20:47:56 +0300
committer: svidyuk <svidyuk@yandex-team.com> 2024-02-26 21:03:34 +0300
commit: 5f7b367ee75acc9f07a7dc091f26f92916e5a9eb (patch)
tree: 8470eaed9daa19d208ce6a161164b660ec3c43e6 /build/scripts/link_sbom.py
parent: 4ad6c196bc757b64229680c3bd4db544a3fc8fdd (diff)
download: ydb-5f7b367ee75acc9f07a7dc091f26f92916e5a9eb.tar.gz
1 files changed, 66 insertions, 0 deletions
diff --git a/build/scripts/link_sbom.py b/build/scripts/link_sbom.py
new file mode 100644
index 0000000000..8b40850590
--- /dev/null
+++ b/build/scripts/link_sbom.py
@@ -0,0 +1,66 @@
+import argparse
+import json
+import os
+
+
+def parse_kv_arr(val):
+    res = {}
+    for kv in val.split(';'):
+        k, v = kv.split('=')
+        res[k] = v
+    return res
+
+
+def deduce_name(path):
+    name = os.path.basename(path)
+    for prefix in ['contrib/libs/', 'contrib/python/py2/', 'contrib/python/py3/', 'contrib/python/']:
+        if path.startswith(prefix):
+            name = path[len(prefix):].replace('/', '-')
+            break
+    return name
+
+
+def parse_componenet(component):
+    props = parse_kv_arr(component)
+    path = props['path']
+    ver = props['ver']
+
+    res = {}
+    res['type'] = 'library'
+    res['name'] = deduce_name(path)
+    res['version'] = ver
+    res["properties"] = [
+        {'name': 'arcadia_path', 'value': path},
+        {'name': 'language', 'value': props['lang']}
+    ]
+    return res
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Generate SBOM datea from used contribs info')
+    parser.add_argument('-o', '--output', type=argparse.FileType('w', encoding='UTF-8'), help='resulting SBOM file')
+    parser.add_argument('--vcs-info', type=argparse.FileType('r', encoding='UTF-8'), help='VCS information file')
+    parser.add_argument('libinfo', metavar='N', type=str, nargs='*', help='libraries info for components section')
+
+    args = parser.parse_args()
+
+    vcs = json.load(args.vcs_info)
+
+    res = {}
+    res['$schema'] = "http://cyclonedx.org/schema/bom-1.5.schema.json"
+    res["bomFormat"] = "CycloneDX"
+    res["specVersion"] = "1.5"
+    res["version"] = 1
+    res["components"] = [parse_componenet(lib) for lib in args.libinfo]
+    res["properties"] = [
+        {'name': 'commit_hash', 'value': vcs['ARCADIA_SOURCE_HG_HASH']}
+    ]
+    if vcs.get('DIRTY', '') == 'dirty':
+        res["properties"].append({'name': 'has_uncommited_changes', 'value': True})
+
+    json.dump(res, args.output)
+    args.output.close()
+
+
+if __name__ == '__main__':
+    main()
author	svidyuk <svidyuk@yandex-team.com>	2024-02-26 20:47:56 +0300
committer	svidyuk <svidyuk@yandex-team.com>	2024-02-26 21:03:34 +0300
commit	5f7b367ee75acc9f07a7dc091f26f92916e5a9eb (patch)
tree	8470eaed9daa19d208ce6a161164b660ec3c43e6 /build/scripts/link_sbom.py
parent	4ad6c196bc757b64229680c3bd4db544a3fc8fdd (diff)
download	ydb-5f7b367ee75acc9f07a7dc091f26f92916e5a9eb.tar.gz