1
0
mirror of https://github.com/MariaDB/server.git synced 2025-07-08 17:02:21 +03:00

MDEV-36398 Extend SBOM with 'license' and 'copyright'

Store auxillary information for 3rd party projects, such as license
identifier, CPE vendor and product, copyright statement in a cmake file.
This commit is contained in:
Vladislav Vaintroub
2025-04-07 22:43:56 +02:00
parent 805e7ca3ad
commit 395db6f1d5
3 changed files with 82 additions and 26 deletions

37
cmake/3rdparty_info.cmake Normal file
View File

@ -0,0 +1,37 @@
# This file is used for SBOM generation.
# It consists of the list of 3rd party products
# which can be compiled together with MariaDB server
# and their licenses, copyright notices, and CPE prefixes
# this is the vendor:product part of CPE identifier from
# https://nvd.nist.gov/products/cpe
# We use both git submodules, and CMake external projects
# dependencies (as well we zlib, which is part of the code)
# so the information is here for all these types
SET("zlib.license" "Zlib")
SET("zlib.copyright" "Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler")
SET("zlib.cpe-prefix" "zlib:zlib")
SET("minizip.license" "Zlib")
SET("minizip.copyright" "Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler")
SET("minizip.cpe-prefix" "zlib:zlib")
SET("fmt.license" "MIT")
SET("fmt.copyright" "Copyright (C) 2012 - present, Victor Zverovich")
SET("fmt.cpe-prefix" "fmt:fmt")
SET("pcre2.license" "BSD-3-Clause")
SET("pcre2.cpe-prefix" "pcre:pcre2")
SET("wolfssl.license" "GPL-2.0")
SET("wolfssl.copyright" "Copyright (C) 2006-2024 wolfSSL Inc.")
SET("wolfssl.cpe-prefix" "wolfssl:wolfssl")
SET("boost.license" "BSL-1.0")
SET("boost.cpe-prefix" "boost:boost")
SET("mariadb-connector-c.license" "LGPL-2.1")
SET("mariadb-connector-c.cpe-prefix" "mariadb:connector\\\\/c")
SET("rocksdb.license" "GPL-2.0")
SET("wsrep-lib.license" "GPL-2.0")
SET("wsrep-api.license" "GPL-2.0")
SET("mariadb-columnstore-engine.license" "GPL-2.0")
SET("libmarias3.license" "LGPL-2.1")
SET("thrift.license" "Apache-2.0")
SET("thrift.cpe-prefix" "apache:thrift")

View File

@ -36,30 +36,23 @@ ENDMACRO()
# Get CPE ID ( https://en.wikipedia.org/wiki/Common_Platform_Enumeration )
# for given project name and version
# Only "known" CPEs are handled here, e.g currently no CPE for rocksdb
# CPE prefix are stored with other auxilliary info in the 3rdparty_info.cmake
# file
FUNCTION(SBOM_GET_CPE name version var)
SET(cpe_prefix_map
"zlib" "zlib:zlib"
"mariadb-connector-c" "mariadb:connector\\\\/c"
"wolfssl" "wolfssl:wolfssl"
"minizip" "zlib:zlib"
"pcre2" "pcre:pcre2"
"fmt" "fmt:fmt"
"boost" "boost:boost"
"thrift" "apache:thrift"
)
LIST(FIND cpe_prefix_map "${name}" idx_cpe_mapping)
# Version needs to have at least one dot character in it.
# Otherwise, we assume it is a git hash, and do not generate CPE
STRING(FIND "${version}" "." idx_version_dot)
IF((idx_cpe_mapping GREATER -1) AND (idx_version_dot GREATER -1))
MATH(EXPR next_idx "${idx_cpe_mapping}+1")
LIST(GET cpe_prefix_map ${next_idx} cpe_name_and_vendor)
STRING(REGEX REPLACE "[^0-9\\.]" "" cleaned_version "${version}")
SET(${var} "cpe:2.3:a:${cpe_name_and_vendor}:${cleaned_version}:*:*:*:*:*:*:*" PARENT_SCOPE)
ELSE()
SET(${var} "" PARENT_SCOPE)
SET(${var} "" PARENT_SCOPE)
STRING(FIND "${version}" "." dot_idx)
IF(${dot_idx} EQUAL -1)
# Version does not have dot inside.
# mostly likely it is just a git hash
RETURN()
ENDIF()
SET(cpe_name_and_vendor "${${repo_name_lower}.cpe-prefix}")
IF(NOT cpe_name_and_vendor)
RETURN()
ENDIF()
STRING(REGEX REPLACE "[^0-9\\.]" "" cleaned_version "${version}")
SET(${var} "cpe:2.3:a:${cpe_name_and_vendor}:${cleaned_version}:*:*:*:*:*:*:*" PARENT_SCOPE)
ENDFUNCTION()
# Add dependency on CMake ExternalProject.
@ -97,8 +90,8 @@ ENDMACRO()
# Perhaps it can always be "MariaDB", but security team recommendation is different
# more towards "author"
FUNCTION (sbom_get_supplier repo_name repo_user varname)
IF("${repo_name_SUPPLIER}")
SET(${varname} "${repo_name_SUPPLIER}" PARENT_SCOPE)
IF("${${repo_name}_SUPPLIER}")
SET(${varname} "${${repo_name}_SUPPLIER}" PARENT_SCOPE)
ELSEIF (repo_name MATCHES "zlib|minizip")
# stuff that is checked into out repos
SET(${varname} "MariaDB" PARENT_SCOPE)
@ -230,6 +223,7 @@ FUNCTION(GENERATE_SBOM)
\"ref\": \"${CPACK_PACKAGE_NAME}\",
\"dependsOn\": [" )
INCLUDE(3rdparty_info)
SET(first ON)
FOREACH(dep ${ALL_THIRD_PARTY})
# Extract the part after the last "/" from URL
@ -277,6 +271,14 @@ FUNCTION(GENERATE_SBOM)
IF(cpe)
SET(cpe "\n \"cpe\": \"${cpe}\",")
ENDIF()
SET(license "${${repo_name_lower}.license}")
IF(NOT license)
MESSAGE(FATAL_ERROR "no license for 3rd party dependency ${repo_name_lower}.")
ENDIF()
SET(copyright "${${repo_name_lower}.copyright}")
IF(NOT copyright)
SET(copyright NOASSERTION)
ENDIF()
STRING(APPEND sbom_components "
{
\"bom-ref\": \"${bom_ref}\",
@ -286,7 +288,15 @@ FUNCTION(GENERATE_SBOM)
\"purl\": \"${purl}\",${cpe}
\"supplier\": {
\"name\": \"${supplier}\"
}
},
\"licenses\": [
{
\"license\": {
\"id\": \"${license}\"
}
}
],
\"copyright\": \"${copyright}\"
}")
STRING(APPEND sbom_dependencies "
\"${bom_ref}\"")
@ -302,5 +312,6 @@ FUNCTION(GENERATE_SBOM)
IF(NOT DEFINED CPACK_PACKAGE_VERSION)
SET(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
ENDIF()
STRING(TIMESTAMP CURRENT_YEAR "%Y")
configure_file(${CMAKE_CURRENT_LIST_DIR}/cmake/sbom.json.in ${CMAKE_BINARY_DIR}/sbom.json)
ENDFUNCTION()

View File

@ -20,7 +20,15 @@
]
},
"purl": "pkg:github/@GITHUB_REPO_USER@/@GITHUB_REPO_NAME@@@GIT_REV_SHORT@",
"cpe": "cpe:2.3:a:mariadb:mariadb:@CPACK_PACKAGE_VERSION@:*:*:*:*:*:*"
"cpe": "cpe:2.3:a:mariadb:mariadb:@CPACK_PACKAGE_VERSION@:*:*:*:*:*:*",
"licenses": [
{
"license": {
"id": "GPL-2.0"
}
}
],
"copyright": "Copyright (C) @CURRENT_YEAR@ MariaDB plc, MariaDB Foundation and others"
},
"authors": [
{