sbom support

Signed-off-by: Avi Deitcher <avi@deitcher.net>

test/cases/000_build/010_reproducible/000_tar/test.sh

@@ -16,8 +16,10 @@ clean_up() {
 
 trap clean_up EXIT
 
-linuxkit build --format tar --name "${NAME}-1" ../test.yml
-linuxkit build --format tar --name "${NAME}-2" ../test.yml
+# do not include the sbom, because the SBoM unique IDs per file/package are *not* deterministic,
+# (currently based upon syft), and thus will make the file non-reproducible
+linuxkit build --no-sbom --format tar --name "${NAME}-2" ../test.yml
+linuxkit build --no-sbom --format tar --name "${NAME}-1" ../test.yml
 
 diff -q "${NAME}-1.tar" "${NAME}-2.tar" || exit 1
 

test/cases/000_build/010_reproducible/002_kernel+initrd/test.sh

@@ -16,8 +16,8 @@ clean_up() {
 
 trap clean_up EXIT
 
-linuxkit build --format kernel+initrd --name "${NAME}-1" ../test.yml
-linuxkit build --format kernel+initrd --name "${NAME}-2" ../test.yml
+linuxkit build --no-sbom --format kernel+initrd --name "${NAME}-1" ../test.yml
+linuxkit build --no-sbom --format kernel+initrd --name "${NAME}-2" ../test.yml
 
 diff -q "${NAME}-1-cmdline"    "${NAME}-2-cmdline"    || exit 1
 diff -q "${NAME}-1-kernel"     "${NAME}-2-kernel"     || exit 1

test/cases/000_build/050_sbom/README.md

@@ -0,0 +1,24 @@
+# SBoM Test
+
+Test that SBoM gets generated and unified.
+This test does not launch the image, so it doesn't matter much that what is in it is runnable,
+only that it gets built.
+
+This test uses local packages inside the directory, to ensure that we get a known and controlled
+SBoM.
+
+How it works:
+
+1. Builds the packages in [./package1](./package1) and [./package2](./package2)
+1. Builds the image in [./test.yml](./test.yml)
+1. Checks that the image contains an SBoM in the expected location
+1. Checks that the SBoM contains at least some expected packages
+
+## To update
+
+If you change the packages in [./package1](./package1) or [./package2](./package2), you will need
+to update the [./test.yml](./test.yml) file to reflect the new versions.
+
+1. `linuxkit pkg show-tag ./package1`
+1. `linuxkit pkg show-tag ./package2`
+1. Update the `onboot` section of [./test.yml](./test.yml) with the new versions

test/cases/000_build/050_sbom/package1/Dockerfile

@@ -0,0 +1,2 @@
+# just something to let the SBoM scanner run
+FROM registry:2

test/cases/000_build/050_sbom/package1/build.yml

@@ -0,0 +1,5 @@
+image: sbom_package1
+network: true
+arches:
+  - arm64
+  - amd64

test/cases/000_build/050_sbom/package2/Dockerfile

@@ -0,0 +1,2 @@
+# just something to let the SBoM scanner run
+FROM alpine:3.18

test/cases/000_build/050_sbom/package2/build.yml

@@ -0,0 +1,5 @@
+image: sbom_package2
+network: true
+arches:
+  - arm64
+  - amd64

test/cases/000_build/050_sbom/test.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+# SUMMARY: Check that tar output format build is reproducible
+# LABELS:
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=sbom
+
+clean_up() {
+	rm -f ${NAME}*
+}
+
+trap clean_up EXIT
+
+# build the packages we need
+linuxkit pkg build ./package1 ./package2
+
+# build the image we need
+linuxkit build --format tar --name "${NAME}" ./test.yml
+
+# check that we got the SBoM
+tar -tvf ${NAME}.tar sbom.spdx.json
+
+exit 0

test/cases/000_build/050_sbom/test.yml

@@ -0,0 +1,18 @@
+# NOTE: Images build from this file likely do not run
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:b7a8f94dfb72f738318cc25daf05451ed85ba194
+  - linuxkit/runc:436357ce16dd663e24f595bcec26d5ae476c998e
+  - linuxkit/containerd:d445de33c7f08470187b068d247b1c0dea240f0a
+
+onboot:
+  - name: package1
+    image: linuxkit/sbom_package1:68f9fad3d53156e014f1b79e7417e345daab3fd9
+services:
+  - name: package2
+    image: linuxkit/sbom_package2:70ebd08dfd61080d3b7efb9475007f316e3b4727
+files:
+  - path: etc/linuxkit-config
+    metadata: yaml