Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it reproducible #94

Merged
merged 2 commits into from
May 8, 2024
Merged

Make it reproducible #94

merged 2 commits into from
May 8, 2024

Conversation

nikstur
Copy link
Owner

@nikstur nikstur commented May 8, 2024
edited
Loading

Closes #92 #93

This should be enough for now to make the SBOM reproducible. In my simple tests only on the same machine, this resulted in reproducible outputs.

@nikstur
transformer: Hash{Map,Set} -> BTree{Map,Set}
5937318 
This should increase reproducibility because BTrees are ordered.
@drupol
Copy link
Contributor

drupol commented May 8, 2024

This seems to fix the broken check:

diff --git a/rust/transformer/src/cyclonedx.rs b/rust/transformer/src/cyclonedx.rs
index 3d84f1d..18f0cfd 100644
--- a/rust/transformer/src/cyclonedx.rs
+++ b/rust/transformer/src/cyclonedx.rs
@@ -26,8 +26,6 @@ impl CycloneDXBom {
         Self(Bom {
             components: Some(components.into()),
             metadata: Some(metadata_from_derivation(target)),
-            // Do not include a serial number to improve reproducibility.
-            serial_number: None,
             ..Bom::default()
         })
     }
-- 
2.44.0

Last thing to do, is to sort the JSON root attributes by default.

@nikstur
Copy link
Owner Author

nikstur commented May 8, 2024

This seems to fix the broken check

Yes but your patch also re-introduces the reproducibility issues ^^.

I tried a different approach, deriving a serial number from the outPath of the SBOM derivation.

@drupol
Copy link
Contributor

drupol commented May 8, 2024

Haha I did something similar in the meantime:

sbom = let
    sbomPath = inputs.bombon.lib.${system}.buildBom (pkgs.symlinkJoin {
      name = "imageContent";
      paths = [ pkgs.hello ];
    }) { };
  in pkgs.runCommand sbomPath.name {
    nativeBuildInputs = [ pkgs.jq pkgs.util-linux ];
  } ''
    jq --sort-keys '.components |= sort_by(.purl)' ${sbomPath} > sbom.json
    jq ".serialNumber=\"urn:uuid:$(${pkgs.util-linux}/bin/uuidgen -N ${sbomPath.outPath} --sha1 --namespace @url)\"" sbom.json > $out
  '';

@nikstur nikstur changed the title Improve reproducibility Make it reproducible May 8, 2024
@nikstur
transformer: reproducibly derive serial number
5180605 
Derive the serial number from the outPath of the SBOM derivation.
This usese the first 16 bytes of the SHA256 hash of the entire outPath.
@nikstur nikstur merged commit a8083c9 into main May 8, 2024
1 check passed
@nikstur nikstur deleted the improve-reproducibility branch May 8, 2024 20:53
@drupol
Copy link
Contributor

drupol commented May 8, 2024

Works perfectly :) removing all my jq hacks now !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The JSON is not reproducible
2 participants
@nikstur @drupol