NRL-1928 Generate asdf SBOM and merge into big python + tf one

anjalitrace2-nhs · anjalitrace2-nhs · commit 19eb1e1326ee · 2026-02-09T10:37:10.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -72,6 +72,10 @@ jobs:
       - name: Create SBOM
         run: bash scripts/sbom-create.sh
 
+      - name: Generate ASDF SBOM
+        working-directory: ./main-repo
+        run: poetry run python scripts/asdf_to_sbom.py
+
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.gitignore b/.gitignore
@@ -84,3 +84,6 @@ producer-internal-*.json
 producer-public-*.json
 consumer-internal-*.json
 consumer-public-*.json
+
+# SBOM files
+sbom*.spdx.json
diff --git a/scripts/sbom-create.sh b/scripts/sbom-create.sh
@@ -2,8 +2,4 @@ REPO_ROOT=$(git rev-parse --show-toplevel)
 
 syft -o spdx-json . > sbom.spdx.json
 
-# for tool in "$@"; do
-#   echo "Creating SBOM for $tool and merging"
-#   # syft -q -o spdx-json "$(which "$tool")" | python "$REPO_ROOT/scripts/sbom-update.py"
-#   syft -q -o spdx-json "$(which "$tool")"
-# done
+poetry run python "$REPO_ROOT/scripts/sbom_from_asdf.py" | poetry run python "$REPO_ROOT/scripts/sbom_update.py"
diff --git a/scripts/sbom_from_asdf.py b/scripts/sbom_from_asdf.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+"""Generate an SBOM-looking document for our asdf dependencies"""
+
+import json
+import re
+from pathlib import Path
+
+
+def parse_tool_versions(file_path=".tool-versions"):
+    tools = []
+
+    if not Path(file_path).exists():
+        return tools
+
+    with open(file_path, "r") as f:
+        for line in f:
+            line = line.strip()
+            if not line or line.startswith("#"):
+                continue
+
+            parts = line.split()
+            if len(parts) >= 2:
+                tool_name = parts[0]
+                version = parts[1]
+                tools.append({"name": tool_name, "version": version})
+
+    return tools
+
+
+# def create_spdx_package(tool, index):
+#     package_id = f"SPDXRef-Package-asdf-{tool['name']}-{index}"
+
+#     return {
+#         "name": tool["name"],
+#         "SPDXID": package_id,
+#         "versionInfo": tool["version"],
+#         "supplier": "NOASSERTION",
+#         "downloadLocation": "NOASSERTION",
+#         "filesAnalyzed": False,
+#         "sourceInfo": "ASDF-managed tool: acquired package info from /.tool-versions",
+#         "licenseConcluded": "NOASSERTION",
+#         "licenseDeclared": "NOASSERTION",
+#         "copyrightText": "NOASSERTION",
+#         "externalRefs": [
+#             {
+#                 "referenceCategory": "PACKAGE-MANAGER",
+#                 "referenceType": "purl",
+#                 "referenceLocator": f"pkg:generic/{tool['name']}@{tool['version']}",
+#             }
+#         ],
+#     }
+
+
+def generate_asdf_sbom(output_file="sbom-asdf.spdx.json"):
+    tools = parse_tool_versions()
+
+    print(f"Found {len(tools)} ASDF-managed tools")
+
+    sbom = {
+        "spdxVersion": "SPDX-2.3",
+        "dataLicense": "CC0-1.0",
+        "SPDXID": "SPDXRef-DOCUMENT",
+        "name": "asdf-tools",
+        "packages": [
+            {
+                "name": tool["name"],
+                "SPDXID": f"SPDXRef-Package-asdf-{tool['name']}-{index}",
+                "versionInfo": tool["version"],
+                "supplier": "NOASSERTION",
+                "downloadLocation": "NOASSERTION",
+                "filesAnalyzed": False,
+                "sourceInfo": "ASDF-managed tool: acquired package info from /.tool-versions",
+                "licenseConcluded": "NOASSERTION",
+                "licenseDeclared": "NOASSERTION",
+                "copyrightText": "NOASSERTION",
+                "externalRefs": [
+                    {
+                        "referenceCategory": "PACKAGE-MANAGER",
+                        "referenceType": "purl",
+                        "referenceLocator": f"pkg:generic/{tool['name']}@{tool['version']}",
+                    }
+                ],
+            }
+            for index, tool in enumerate(tools)
+        ],
+        # "packages": [create_spdx_package(tool, idx) for idx, tool in enumerate(tools)],
+        "relationships": [
+            {
+                "spdxElementId": "SPDXRef-DOCUMENT",
+                "relationshipType": "DESCRIBES",
+                "relatedSpdxElement": f"SPDXRef-Package-asdf-{tool['name']}-{index}",
+            }
+            for index, tool in enumerate(tools)
+        ],
+    }
+
+    with open(output_file, "w") as f:
+        json.dump(sbom, f, indent=2)
+
+    print(f"Generated SBOM with {len(tools)} ASDF-managed tools")
+    return output_file
+
+
+if __name__ == "__main__":
+    generate_asdf_sbom()
diff --git a/scripts/sbom_update.py b/scripts/sbom_update.py
@@ -2,9 +2,11 @@
 import sys
 from pathlib import Path
 
+import fire
 
-def main() -> None:
-    with Path("sbom.spdx.json").open("r") as f:
+
+def update_sbom(existing_sbom="sbom.spdx.json") -> None:
+    with Path(existing_sbom).open("r") as f:
         sbom = json.load(f)
 
     tool = json.loads(sys.stdin.read())
@@ -13,9 +15,9 @@ def main() -> None:
     sbom.setdefault("files", []).extend(tool.setdefault("files", []))
     sbom.setdefault("relationships", []).extend(tool.setdefault("relationships", []))
 
-    with Path("sbom.spdx.json").open("w") as f:
+    with Path(existing_sbom).open("w") as f:
         json.dump(sbom, f)
 
 
 if __name__ == "__main__":
-    main()
+    fire.Fire(update_sbom)
