android/sbom.go

// Copyright 2024 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package android

import (
	"io"
	"path/filepath"
	"strings"

	"github.com/google/blueprint"
)

var (
	// Command line tool to generate SBOM in Soong
	genSbom = pctx.HostBinToolVariable("genSbom", "gen_sbom")

	// Command to generate SBOM in Soong.
	genSbomRule = pctx.AndroidStaticRule("genSbomRule", blueprint.RuleParams{
		Command:     "rm -rf $out && ${genSbom} --output_file ${out} --metadata ${in} --product_out ${productOut} --soong_out ${soongOut} --build_version \"$$(cat ${buildFingerprintFile})\" --product_mfr \"${productManufacturer}\" --json",
		CommandDeps: []string{"${genSbom}"},
	}, "productOut", "soongOut", "buildFingerprintFile", "productManufacturer")
)

func init() {
	RegisterSbomSingleton(InitRegistrationContext)
}

func RegisterSbomSingleton(ctx RegistrationContext) {
	ctx.RegisterParallelSingletonType("sbom_singleton", sbomSingletonFactory)
}

// sbomSingleton is used to generate build actions of generating SBOM of products.
type sbomSingleton struct {
	sbomFile OutputPath
}

func sbomSingletonFactory() Singleton {
	return &sbomSingleton{}
}

// Generates SBOM of products
func (this *sbomSingleton) GenerateBuildActions(ctx SingletonContext) {
	if !ctx.Config().HasDeviceProduct() {
		return
	}
	// Get all METADATA files and add them as implicit input
	metadataFileListFile := PathForArbitraryOutput(ctx, ".module_paths", "METADATA.list")
	f, err := ctx.Config().fs.Open(metadataFileListFile.String())
	if err != nil {
		panic(err)
	}
	b, err := io.ReadAll(f)
	if err != nil {
		panic(err)
	}
	allMetadataFiles := strings.Split(string(b), "\n")
	implicits := []Path{metadataFileListFile}
	for _, path := range allMetadataFiles {
		implicits = append(implicits, PathForSource(ctx, path))
	}
	prodVars := ctx.Config().productVariables
	buildFingerprintFile := PathForArbitraryOutput(ctx, "target", "product", String(prodVars.DeviceName), "build_fingerprint.txt")
	implicits = append(implicits, buildFingerprintFile)

	// Add installed_files.stamp as implicit input, which depends on all installed files of the product.
	installedFilesStamp := PathForOutput(ctx, "compliance-metadata", ctx.Config().DeviceProduct(), "installed_files.stamp")
	implicits = append(implicits, installedFilesStamp)

	metadataDb := PathForOutput(ctx, "compliance-metadata", ctx.Config().DeviceProduct(), "compliance-metadata.db")
	this.sbomFile = PathForOutput(ctx, "sbom", ctx.Config().DeviceProduct(), "sbom.spdx.json")
	ctx.Build(pctx, BuildParams{
		Rule:      genSbomRule,
		Input:     metadataDb,
		Implicits: implicits,
		Output:    this.sbomFile,
		Args: map[string]string{
			"productOut":           filepath.Join(ctx.Config().OutDir(), "target", "product", String(prodVars.DeviceName)),
			"soongOut":             ctx.Config().soongOutDir,
			"buildFingerprintFile": buildFingerprintFile.String(),
			"productManufacturer":  ctx.Config().ProductVariables().ProductManufacturer,
		},
	})

	if !ctx.Config().UnbundledBuildApps() {
		// When building SBOM of products, phony rule "sbom" is for generating product SBOM in Soong.
		ctx.Build(pctx, BuildParams{
			Rule:   blueprint.Phony,
			Inputs: []Path{this.sbomFile},
			Output: PathForPhony(ctx, "sbom"),
		})
	}
}

func (this *sbomSingleton) MakeVars(ctx MakeVarsContext) {
	// When building SBOM of products
	if !ctx.Config().UnbundledBuildApps() {
		ctx.DistForGoalWithFilename("droid", this.sbomFile, "sbom/sbom.spdx.json")
	}
}