Fix SBOM: Add missing packages#5961
Merged
Merged
Conversation
Packages built from source are invisible to syft because they bypass the APK package manager and leave no entry in the APK database. Syft's apk-db-cataloger reads lib/apk/db/installed to discover packages, so source-built packages are silently omitted from the SBOM. Add register-sbom-pkg.sh, a small script that writes a minimal APK database entry for a source-built package into the output root. Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
A heuristic check that scans every pkg/*/Dockerfile for external source fetches (ADD https://..., ADD --keep-git-dir=...) and fails if the same Dockerfile does not call register-sbom-pkg.sh, ensuring new compile-from-source dependencies cannot slip into the rootfs without a matching SBOM entry. Toolchain Dockerfiles that legitimately never ship in the final image are listed in tools/sbom-coverage-allowlist.txt with a justification. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
For every pkg whose Dockerfile compiles or downloads an external artifact that ends up in the EVE rootfs, call register-sbom-pkg.sh after the build step so syft's apk-db-cataloger picks it up. Stages whose final image is FROM scratch and does not COPY /out/ wholesale also explicitly copy /lib/apk/db/installed so the entries reach the final image. The pillar collector concatenates each contributing pkg's apk DB into one merged installed file to avoid the Docker COPY overwrite that previously kept only whichever pkg was copied last. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
Run tools/bump_dockerfiles.pl to propagate the new pkg-image hashes
produced by the SBOM coverage changes. The pillar collector merge logic
relies on lfedge/eve-{uefi,dom0-ztools,fscrypt,dnsmasq,gpt-tools}
shipping /lib/apk/db/installed at the image root, which only happens at
the new hashes; the older pins predate the register-sbom-pkg.sh work.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
shjala
requested review from
eriknordmark,
milan-zededa,
rene,
rucoder,
yash-zededa and
zedi-pramodh
as code owners
github-actions
Bot
requested review from
OhmSpectator,
andrewd-zededa,
christoph-zededa,
europaul,
jsfakian and
naiming-zededa
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #5961 +/- ##
==========================================
+ Coverage 20.50% 20.90% +0.40%
==========================================
Files 487 497 +10
Lines 90131 91829 +1698
==========================================
+ Hits 18482 19201 +719
- Misses 70095 70888 +793
- Partials 1554 1740 +186 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Member
Author
|
@rene spdx-check fails because I copied the header from another file and forgot to update the year to 2026, can we make an exception and ignore this one? Otherwise I have to update lots of image hashes again. Yestus fails on code that I haven't changed, Claude Code fails because of some token issue. |
Update eve-debug image hash in pillar. Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
shjala
force-pushed
the
fix.sbom.once.again
branch
from
9cf284b to
9c02d1a
Compare
eriknordmark
approved these changes
May 19, 2026
Contributor
eriknordmark
left a comment
eriknordmark
left a comment
There was a problem hiding this comment.
LGTM but should we backport this to stable branches to make those SBoM more accurate as well?
Member
Author
sure, I've listed the releases under "PR Backports". |
Contributor
|
@shjala please wait with the backports, I think this PR produces an incomplete apk database which later leads to segfault when somebody tries to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
EVE's SBOM was missing every package that was compiled from source rather than installed via
apk add. Source-built artifacts (bpftrace, libtpms, swtpm, xen, grub, ipxe, etc.) leave no fingerprint that syft can detect, so the resulting SBOMs were silently incomplete.This PR closes that gap in four stacked commits:
pkg/alpine:register-sbom-pkg.shhelper that appends a minimal APK DB record (P/V/L/A/T/U fields) to<outdir>/lib/apk/db/installedso syft picks the package up.tools/check-sbom-coverage.sh+ CI workflow: a pre-merge gate that scans everypkg/*/Dockerfile, counts external source fetches (ADD https://...,ADD --keep-git-dir=...) andregister-sbom-pkg.shcalls, and fails the PR with a clear remediation message if a Dockerfile pulls external source but never registers it. A small allowlist (tools/sbom-coverage-allowlist.txt) covers legitimate exemptions (cross-compiler toolchain, optee-os cross build).All affected
pkg/*/Dockerfile: 30+ source-built packages registered.Hash bumps: pinned updated pkg-image hashes.
PR dependencies
None.
How to test and validate this PR
Build-time:
Build EVE end-to-end on amd64 and arm64:
make pkgs && make eveAll pkg images that previously built should still build.
Confirm the CI check works:
./tools/check-sbom-coverage.sh # passes on this branchThen temporarily inject a new
ADD https://example.com/foo.tar.gz /tmp/foo.tgzinto anypkg/*/Dockerfilewithout aregister-sbom-pkg.shcall and re-run — the script should exit 1 with the remediation message. Revert after.SBOM verification (the meat of the test):
bcc,bpftrace,lshw,hexedit,dnsmasq,zfs,fscrypt,gptfdisk,vboot,grub,guacamole-server,ossp-uuid,edid-decode,ddcutil,tpm2-tss,tpm2-tools,ipxe,makedumpfile,kexec-tools,mkinitfs,optee_client,watchdog,libqrtr-glib,libmbim,libqmi,ModemManager,picocom,lenovo-wwan-unlock,xen,liburing,seabios,libtpms,swtpm,u-boot,raspberrypi-firmware,imx-atf,firmware-imx,uboot-imx,wireless-regdb,linux-firmware,rtw88-firmware,hailo8-firmware,nvidia-l4t-firmware,rpi-firmware-nonfree,rpi-bluez-firmware,intel-ucode,amd-ucode,edk2,VfioIgdPkg,opensbi,etcdctl,virtctl,eve-monitor-rs,jetson-linux,nvidia-container-toolkit,vector.Changelog notes
N/A
PR Backports
Checklist
And the last but not least: