android/sbom.go

// Copyright 2024 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package android

import (
	"io"
	"path/filepath"
	"strings"

	"github.com/google/blueprint"
)

var (
	// Command line tool to generate SBOM in Soong
	genSbom = pctx.HostBinToolVariable("genSbom", "gen_sbom")

	// Command to generate SBOM in Soong.
	genSbomRule = pctx.AndroidStaticRule("genSbomRule", blueprint.RuleParams{
		Command:     "rm -rf $out && ${genSbom} --output_file ${out} --metadata ${in} --product_out ${productOut} --soong_out ${soongOut} --build_version \"$$(cat ${buildFingerprintFile})\" --product_mfr \"${productManufacturer}\" --json",
		CommandDeps: []string{"${genSbom}"},
	}, "productOut", "soongOut", "buildFingerprintFile", "productManufacturer")
)

func init() {
	RegisterSbomSingleton(InitRegistrationContext)
}

func RegisterSbomSingleton(ctx RegistrationContext) {
	ctx.RegisterParallelSingletonType("sbom_singleton", sbomSingletonFactory)
}

// sbomSingleton is used to generate build actions of generating SBOM of products.
type sbomSingleton struct{}

func sbomSingletonFactory() Singleton {
	return &sbomSingleton{}
}

// Generates SBOM of products
func (this *sbomSingleton) GenerateBuildActions(ctx SingletonContext) {
	if !ctx.Config().HasDeviceProduct() {
		return
	}
	// Get all METADATA files and add them as implicit input
	metadataFileListFile := PathForArbitraryOutput(ctx, ".module_paths", "METADATA.list")
	f, err := ctx.Config().fs.Open(metadataFileListFile.String())
	if err != nil {
		panic(err)
	}
	b, err := io.ReadAll(f)
	if err != nil {
		panic(err)
	}
	allMetadataFiles := strings.Split(string(b), "\n")
	implicits := []Path{metadataFileListFile}
	for _, path := range allMetadataFiles {
		implicits = append(implicits, PathForSource(ctx, path))
	}
	prodVars := ctx.Config().productVariables
	buildFingerprintFile := PathForArbitraryOutput(ctx, "target", "product", String(prodVars.DeviceName), "build_fingerprint.txt")
	implicits = append(implicits, buildFingerprintFile)

	// Add installed_files.stamp as implicit input, which depends on all installed files of the product.
	installedFilesStamp := PathForOutput(ctx, "compliance-metadata", ctx.Config().DeviceProduct(), "installed_files.stamp")
	implicits = append(implicits, installedFilesStamp)

	metadataDb := PathForOutput(ctx, "compliance-metadata", ctx.Config().DeviceProduct(), "compliance-metadata.db")
	sbomFile := PathForOutput(ctx, "sbom", ctx.Config().DeviceProduct(), "sbom.spdx.json")
	ctx.Build(pctx, BuildParams{
		Rule:      genSbomRule,
		Input:     metadataDb,
		Implicits: implicits,
		Output:    sbomFile,
		Args: map[string]string{
			"productOut":           filepath.Join(ctx.Config().OutDir(), "target", "product", String(prodVars.DeviceName)),
			"soongOut":             ctx.Config().soongOutDir,
			"buildFingerprintFile": buildFingerprintFile.String(),
			"productManufacturer":  ctx.Config().ProductVariables().ProductManufacturer,
		},
	})

	// Phony rule "soong-sbom". "m soong-sbom" to generate product SBOM in Soong.
	ctx.Build(pctx, BuildParams{
		Rule:   blueprint.Phony,
		Inputs: []Path{sbomFile},
		Output: PathForPhony(ctx, "soong-sbom"),
	})
}