NRL-1928 Merge SBOMs better

anjalitrace2-nhs · anjalitrace2-nhs · commit 56077fee341a · 2026-02-09T16:33:14.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -72,10 +72,6 @@ jobs:
       - name: Create SBOM
         run: bash scripts/sbom-create.sh
 
-      - name: Generate ASDF SBOM
-        working-directory: ./main-repo
-        run: poetry run python scripts/asdf_to_sbom.py
-
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/scripts/sbom-create.sh b/scripts/sbom-create.sh
@@ -1,5 +1,11 @@
 REPO_ROOT=$(git rev-parse --show-toplevel)
 
+echo REPO_ROOT: $REPO_ROOT
+
 syft -o spdx-json . > sbom.spdx.json
 
-poetry run python "$REPO_ROOT/scripts/sbom_from_asdf.py" | poetry run python "$REPO_ROOT/scripts/sbom_update.py"
+ASDF_SBOM="sbom-asdf.spdx.json"
+
+poetry run python "$REPO_ROOT/scripts/sbom_from_asdf.py" $ASDF_SBOM
+
+poetry run python "$REPO_ROOT/scripts/sbom_update.py" $ASDF_SBOM "sbom.spdx.json"
diff --git a/scripts/sbom_from_asdf.py b/scripts/sbom_from_asdf.py
@@ -2,7 +2,6 @@
 """Generate an SBOM-looking document for our asdf dependencies"""
 
 import json
-import re
 from pathlib import Path
 
 
@@ -27,30 +26,6 @@ def parse_tool_versions(file_path=".tool-versions"):
     return tools
 
 
-# def create_spdx_package(tool, index):
-#     package_id = f"SPDXRef-Package-asdf-{tool['name']}-{index}"
-
-#     return {
-#         "name": tool["name"],
-#         "SPDXID": package_id,
-#         "versionInfo": tool["version"],
-#         "supplier": "NOASSERTION",
-#         "downloadLocation": "NOASSERTION",
-#         "filesAnalyzed": False,
-#         "sourceInfo": "ASDF-managed tool: acquired package info from /.tool-versions",
-#         "licenseConcluded": "NOASSERTION",
-#         "licenseDeclared": "NOASSERTION",
-#         "copyrightText": "NOASSERTION",
-#         "externalRefs": [
-#             {
-#                 "referenceCategory": "PACKAGE-MANAGER",
-#                 "referenceType": "purl",
-#                 "referenceLocator": f"pkg:generic/{tool['name']}@{tool['version']}",
-#             }
-#         ],
-#     }
-
-
 def generate_asdf_sbom(output_file="sbom-asdf.spdx.json"):
     tools = parse_tool_versions()
 
@@ -83,7 +58,6 @@ def generate_asdf_sbom(output_file="sbom-asdf.spdx.json"):
             }
             for index, tool in enumerate(tools)
         ],
-        # "packages": [create_spdx_package(tool, idx) for idx, tool in enumerate(tools)],
         "relationships": [
             {
                 "spdxElementId": "SPDXRef-DOCUMENT",
diff --git a/scripts/sbom_update.py b/scripts/sbom_update.py
@@ -1,19 +1,26 @@
+#!/usr/bin/env python3
+"""
+Merge two SBOMs together
+
+packages, files, and relationships from new_sbom will be merged into existing_sbom
+"""
+
 import json
-import sys
 from pathlib import Path
 
 import fire
 
 
-def update_sbom(existing_sbom="sbom.spdx.json") -> None:
+def update_sbom(new_sbom, existing_sbom="sbom.spdx.json") -> None:
+    with Path(new_sbom).open("r") as f:
+        updates = json.load(f)
+
     with Path(existing_sbom).open("r") as f:
         sbom = json.load(f)
 
-    tool = json.loads(sys.stdin.read())
-
-    sbom.setdefault("packages", []).extend(tool.setdefault("packages", []))
-    sbom.setdefault("files", []).extend(tool.setdefault("files", []))
-    sbom.setdefault("relationships", []).extend(tool.setdefault("relationships", []))
+    sbom.setdefault("packages", []).extend(updates.setdefault("packages", []))
+    sbom.setdefault("files", []).extend(updates.setdefault("files", []))
+    sbom.setdefault("relationships", []).extend(updates.setdefault("relationships", []))
 
     with Path(existing_sbom).open("w") as f:
         json.dump(sbom, f)
