These utilities consist in:
- AlmaLinux SBOM CLI: This utility is used to create SBOM records for artifacts created with the AlmaLinux Build System. It generates SBOM records for Builds and Packages.
- AlmaLinux Git Notarization Tool: This utility allows to manually notarize AlmaLinux git sources using the ImmudbWrapper.
- python >= 3.9
- requests >= 2.20.0
- dataclasses >= 0.8
- cyclonedx-python-lib >= 2.7.1
- packageurl-python >= 0.10.3
- GitPython == 3.1.29
- immudb_wrapper >= 0.1.4
- rpm >= 4.14 (or rpm == 0.3.1 in venv)
- Create a Python Virtual Environment:
python3.9 -m venv env - Activate the Virtual Environment:
source env/bin/activate - Install dependencies:
pip install .
pipx is a tool to install and run python applications in isolated environments.
With pipx you can install python-based command line tools easier, such as alma-sbom.
The pipx package is released in Fedora EPEL, so you can install it easily in AlmaLinux by running dnf install pipx.
To install alma-sbom with pipx you can either:
- Clone the alma-sbom git repository and run
pipx install .inside the cloned repository. - Install alma-sbom directly using the github link by running
pipx install git+https://github.com/AlmaLinux/alma-sbom.git
The AlmaLinux SBOM CLI named alma-sbom is provided as command line tool installed on your system or on your virtual environment(if you follow Getting Started). It has two subcommands. You can get two different types of SBOMs(Build and Package) by using these subcommands appropriately.
You can use the following arguments for alma-sbom command:
- output-file: The file you want to save the generated SBOM to. If not provided, the resulting SBOM is printed to stdout
- file-format: The SBOM type and file format you want to generate. Either CycloneDX or SPDX. The available file formats vary depending on the SBOM format. Currently, we support the following combinations: {spdx-json,spdx-xml,spdx-yaml,spdx-tagvalue,spdx-rdf,cyclonedx-json,cyclonedx-xml}
- albs-url: The URL of the AlmaLinux Build System, if different from the production one, https://build.almalinux.org
- immudb-username: The immudb username, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-password: The immudb password, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-database: The immudb database name, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-address: The immudb host address, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-public-key-file: (Optional) Path of the public key to use for authenticating requests, must be provided either by setting the environmental variable or by using this option
- verbose or debug: You can get verbose or debug output
You can get the SBOM of a Build using the build subcommand, and providing the following argument:
- build-id: The Build id you want to generate the SBOM for
Note that you have to provide the build-id argument
Example to make SBOM of a Build with build-id option in cyclonedx-json format:
$ alma-sbom --file-format cyclonedx-json build --build-id 4372
You can get the SBOM of a Package using the package subcommand, and providing the following argument:
- rpm-package-hash: The Immudb hash of the package you want to generate the SBOM for
- rpm-package: The path to RPM package you want to generate the SBOM for
Note that you have to either provide the rpm-package-hash or the rpm-package argument
Example to make SBOM of a Package with rpm-package-hash option in cyclonedx-xml format with verbose output:
$ alma-sbom --verbose --file-format cyclonedx-xml package --rpm-package-hash b00d871e204ca8cbcae72c37c53ab984fdadc3846c91fb35c315335adfe0699b
Example to make SBOM of a Package with rpm-package option in spdx-yaml format with debug output:
$ alma-sbom --debug --file-format spdx-yaml package --rpm-package /path/to/package
You can get the SBOM of an ISO image using the iso subcommand, and providing the following argument:
- iso-image: Path to the
AlmaLinux installer ISO imagethat you want to generate the SBOM for
Example to make an SBOM of an ISO image in the default format (SPDX-json):
$ alma-sbom iso --iso-image /path/to/isoimage
When importing git sources from CentOS, these are notarizared using Immudb, however, there are corner cases where these sources can't be notarized. For this reason, this tool has been created in order to allow AlmaLinux developers to manually notarize AlmaLinux sources that couldn't be notarized at import time.
To summarize what the tool does:
- It checks whether an AlmaLinux git source's commit has a git tag assigned according to the AlmaLinux tagging conventions
- If this tag is "modified" according to the AlmaLinux tagging conventions, then the tool will try to find a matching tag in a corresponding upstream tag
- If the matching tag is found, the tool will authenticate its commit and take its Immudb hash if found. This hash will be added as an attribute of an AlmaLinux source Immudb record
- If the matching tag/commit is not notarized, the tool can notarize it and then use that hash as an attribute when notarizing the AlmaLinux source
- If no upstream matching tag can be found, the tool allows notarizing the AlmaLinux source without having a notarized upstream corresponding tag
The AlmaLinux Git Notarization Tool accepts the following arguments:
- immudb-username: The immudb username, must be provided either by setting the environmental variable or by using this option to notarize sources
- immudb-password: The immudb password, must be provided either by setting the environmental variable or by using this option to notarize sources
- immudb-database: The immudb database name, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-address: The immudb host address, could be provided either by setting the environmental variable or by using this option, by default uses value from ImmudbWrapper module
- immudb-public-key-file: (Optional) Path of the public key to use for authenticating requests, must be provided either by setting the environmental variable or by using this option
- local-git-repo: The path to a local AlmaLinux git source repository. If not provided, uses the current working directory
- notarize-without-upstream-hash: Use this option if you want to force the notarization of an AlmaLinux commit even when there's no matched upstream tag
- notarize-upstream-tag: Use this option if you want to force the notarization of an upstream tag before notarizing an AlmaLinux source
- notarize-without-imported-source-notarization: Use this option if you want to force the notarization of an upstream tag without an imported source notarization
- debug: This option will make the tool to display debug information while running, which could be useful when diagnosing a problem in the tool
There are no mandatory arguments to pass (unless strictly required to force a notarization), if you are currently in a local clone of an AlmaLinux source, you can run python /path/to/git_notarize.py.
If you want to specify the folder, you should run python /path/to/git_notarize.py --local-git-repo <path to local copy of a git repo>.
Note that this tool is meant for AlmaLinux developers that have write permissions into git.almalinux.org and that have the AlmaLinux Immudb credentials required to notarize artifacts on behalf of AlmaLinux
Any question? Found a bug? File an issue. Do you want to contribute with source code?
- Fork the repository on GitHub
- Create a new feature branch
- Write your change
- Submit a pull request
