Skip to content

Commit c8ffa34

Browse files
marcpruxmarcprux
committed
Generate SBOM with SDK dependencies
1 parent 7bcf3a2 commit c8ffa34

File tree

1 file changed

+91
-1
lines changed

1 file changed

+91
-1
lines changed

swift-ci/sdks/android/scripts/build.sh

Lines changed: 91 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ function declare_package
101101
packages+=(${name})
102102
}
103103

104-
declare_package android_sdk \
104+
declare_package swift_android_sdk \
105105
"Swift SDK for Android" \
106106
"Apache-2.0" "https://swift.org/install"
107107
declare_package swift "swift" "Apache-2.0" "https://swift.org"
@@ -503,6 +503,96 @@ cat > info.json <<EOF
503503
}
504504
EOF
505505

506+
spdx_uuid=$(uuidgen)
507+
spdx_doc_uuid=$(uuidgen)
508+
spdx_timestamp=$(date -Iseconds)
509+
510+
# Now generate SPDX data
511+
cat > sbom.spdx.json <<EOF
512+
{
513+
"SPDXID": "SPDXRef-DOCUMENT",
514+
"name": "SBOM-SPDX-${spdx_uuid}",
515+
"spdxVersion": "SPDX-2.3",
516+
"creationInfo": {
517+
"created": "${spdx_timestamp}",
518+
"creators": [
519+
"Organization: Apple, Inc."
520+
]
521+
},
522+
"dataLicense": "Apache-2.0",
523+
"documentNamespace": "urn:uuid:${spdx_doc_uuid}",
524+
"documentDescribes": [
525+
"SPDXRef-Package-swift-android-sdk"
526+
],
527+
"packages": [
528+
EOF
529+
530+
first=true
531+
for package in ${packages[@]}; do
532+
if [[ "$first" == "true" ]]; then
533+
first=false
534+
else
535+
cat >> sbom.spdx.json <<EOF
536+
},
537+
EOF
538+
fi
539+
540+
snake=${package}_snake; snake=${!snake}
541+
version=${package}_version; version=${!version}
542+
name=${package}_name; name=${!name}
543+
license=${package}_license; license=${!license}
544+
url=${package}_url; url=${!url}
545+
546+
cat >> sbom.spdx.json <<EOF
547+
{
548+
"SPDXID": "SPDXRef-Package-${snake}",
549+
"name": "${name}",
550+
"versionInfo": "${version}",
551+
"filesAnalyzed": false,
552+
"licenseDeclared": "${license}",
553+
"licenseConcluded": "${license}",
554+
"downloadLocation": "${url}",
555+
"copyrightText": "NOASSERTION",
556+
"checksums": []
557+
EOF
558+
done
559+
560+
cat >> sbom.spdx.json <<EOF
561+
}
562+
],
563+
"relationships": [
564+
EOF
565+
566+
first=true
567+
for package in ${packages[@]}; do
568+
if [[ "$package" == "swift_android_sdk" ]]; then
569+
continue
570+
fi
571+
572+
if [[ "$first" == "true" ]]; then
573+
first=false
574+
else
575+
cat >> sbom.spdx.json <<EOF
576+
},
577+
EOF
578+
fi
579+
580+
snake=${package}_snake; snake=${!snake}
581+
582+
cat >> sbom.spdx.json <<EOF
583+
{
584+
"spdxElementId": "SPDXRef-Package-swift-android-sdk",
585+
"relationshipType": "GENERATED_FROM",
586+
"relatedSpdxElement": "SPDXRef-Package-${snake}"
587+
EOF
588+
done
589+
590+
cat >> sbom.spdx.json <<EOF
591+
}
592+
]
593+
}
594+
EOF
595+
506596
mkdir -p $sdk_base
507597
quiet_pushd $sdk_base
508598

0 commit comments

Comments
 (0)