Add extract-sbom command to native-image-utils

This tool relies on a native library, libextract_sbom.a, which is
currently Linux only and allows for the native-image-utils launcher, to
read the gzip compressed SBOM bytes from another native image.

Author: jerboaa

substratevm/mx.substratevm/mx_substratevm.py

@@ -2266,6 +2266,7 @@ def _native_image_utils_extra_jvm_args():
             build_args=svm_experimental_options([
                 '-H:-ParseRuntimeOptions',
                 '-H:+TreatAllTypeReachableConditionsAsTypeReached',
+                '--features=com.oracle.svm.configure.command.sbom.SbomExtractFeature',
             ]),
             extra_jvm_args=_native_image_utils_extra_jvm_args(),
             home_finder=False,

substratevm/mx.substratevm/suite.py

@@ -945,6 +945,28 @@
             "jacoco" : "exclude",
         },
 
+        "com.oracle.svm.native.extractsbom": {
+            "subDir": "src",
+            "native": "static_lib",
+            "deliverable" : "extract_sbom",
+            "os_arch": {
+                "linux": {
+                    "<others>": {
+                        "cflags": ["-g", "-Wall", "-fPIC" ],
+                    },
+                },
+                "<others>": {
+                    "<others>": {
+                        "ignore": "only supported on linux",
+                    },
+                },
+            },
+            "multitarget": {
+                "libc": ["glibc", "default"],
+            },
+            "jacoco" : "exclude",
+        },
+
         "com.oracle.svm.native.reporterchelper": {
             "subDir": "src",
             "native": "shared_lib",
@@ -2395,6 +2417,7 @@
                             "dependency:com.oracle.svm.native.libchelper/*",
                             "dependency:com.oracle.svm.native.jvm.posix/*",
                             "dependency:com.oracle.svm.native.libcontainer/*",
+                            "dependency:com.oracle.svm.native.extractsbom/*",
                             "file:debug/include",
                             "file:src/com.oracle.svm.core/src/com/oracle/svm/core/gc/shared/include",
                         ],

substratevm/src/com.oracle.svm.configure/src/com/oracle/svm/configure/ConfigurationTool.java

@@ -31,6 +31,7 @@
 import java.util.Map;
 
 import com.oracle.svm.configure.command.ConfigurationCommand;
+import com.oracle.svm.configure.command.ConfigurationCommandExtractSbom;
 import com.oracle.svm.configure.command.ConfigurationCommandFileCommand;
 import com.oracle.svm.configure.command.ConfigurationGenerateCommand;
 import com.oracle.svm.configure.command.ConfigurationGenerateConditionalsCommand;
@@ -58,13 +59,15 @@ public class ConfigurationTool {
         ConfigurationCommand processTraceCommand = new ConfigurationProcessTraceCommand();
         ConfigurationCommand generateFiltersCommand = new ConfigurationGenerateFiltersCommand();
         ConfigurationCommand conditionalsCommand = new ConfigurationGenerateConditionalsCommand();
+        ConfigurationCommand sbomExtractCommand = new ConfigurationCommandExtractSbom();
 
         commands.put(helpCommand.getName(), helpCommand);
         commands.put(generateCommand.getName(), generateCommand);
         commands.put(commandFileCommand.getName(), commandFileCommand);
         commands.put(processTraceCommand.getName(), processTraceCommand);
         commands.put(conditionalsCommand.getName(), conditionalsCommand);
         commands.put(generateFiltersCommand.getName(), generateFiltersCommand);
+        commands.put(sbomExtractCommand.getName(), sbomExtractCommand);
     }
 
     public static Collection<ConfigurationCommand> getCommands() {

substratevm/src/com.oracle.svm.configure/src/com/oracle/svm/configure/command/ConfigurationCommandExtractSbom.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2023, 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.oracle.svm.configure.command;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Iterator;
+
+import com.oracle.svm.configure.ConfigurationUsageException;
+import com.oracle.svm.configure.command.sbom.SbomExtractLibrary;
+
+public final class ConfigurationCommandExtractSbom extends ConfigurationCommand {
+
+    private static final String IMAGE_PATH_OPT = "--image-path";
+    private static final String EXTRACT_CMD = "extract-sbom";
+
+    @Override
+    public String getName() {
+        return EXTRACT_CMD;
+    }
+
+    @Override
+    public void apply(Iterator<String> argumentsIterator) throws IOException {
+        Path imagePath = null;
+        while (argumentsIterator.hasNext()) {
+            String[] optionValue = argumentsIterator.next().split(OPTION_VALUE_SEP, OPTION_VALUE_LENGTH);
+            String option = optionValue[OPTION_INDEX];
+            String value = (optionValue.length > 1) ? optionValue[VALUE_INDEX] : null;
+            switch (option) {
+                case IMAGE_PATH_OPT:
+                    imagePath = requirePath(option, value);
+                    break;
+            }
+        }
+        if (imagePath == null) {
+            throw new ConfigurationUsageException("Argument must be provided for: " + IMAGE_PATH_OPT);
+        }
+        if (!Files.exists(imagePath)) {
+            throw new ConfigurationUsageException("Binary does not exist or is not readable: " + imagePath);
+        }
+        int exitCode = SbomExtractLibrary.extractSbom(imagePath);
+        if (exitCode != 0) {
+            throw new RuntimeException("Failed to extract SBOM. See previous messages for defails.");
+        }
+    }
+
+    @Override
+    public String getUsage() {
+        return String.format("native-image-utils %s %s=<native-binary>", EXTRACT_CMD, IMAGE_PATH_OPT);
+    }
+
+    @Override
+    protected String getDescription0() {
+        return """
+                                      extracts an embedded SBOM from a native image binary.
+                            --image-path=<path>
+                                                  the path to the binary where the SBOM is embedded.
+                        """.replace("\n", System.lineSeparator());
+    }
+}

substratevm/src/com.oracle.svm.configure/src/com/oracle/svm/configure/command/sbom/SbomExtractFeature.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2026, 2026, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package com.oracle.svm.configure.command.sbom;
+
+import org.graalvm.nativeimage.hosted.Feature;
+
+import com.oracle.svm.shared.singletons.traits.BuiltinTraits.BuildtimeAccessOnly;
+import com.oracle.svm.shared.singletons.traits.BuiltinTraits.NoLayeredCallbacks;
+import com.oracle.svm.shared.singletons.traits.SingletonTraits;
+
+/**
+ * Marker feature used at build-time to add linking for the extract_sbom static library.
+ */
+@SingletonTraits(access = BuildtimeAccessOnly.class, layeredCallbacks = NoLayeredCallbacks.class)
+public class SbomExtractFeature implements Feature {
+    @Override
+    public void afterRegistration(AfterRegistrationAccess access) {
+        // Nothing. This is only a hook to enable the extract_sbom.a library at build time
+    }
+}

substratevm/src/com.oracle.svm.configure/src/com/oracle/svm/configure/command/sbom/SbomExtractLibrary.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2026, 2026, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package com.oracle.svm.configure.command.sbom;
+
+import java.nio.file.Path;
+import java.util.List;
+
+import org.graalvm.nativeimage.ImageSingletons;
+import org.graalvm.nativeimage.Platform;
+import org.graalvm.nativeimage.Platforms;
+import org.graalvm.nativeimage.c.CContext;
+import org.graalvm.nativeimage.c.function.CFunction;
+import org.graalvm.nativeimage.c.function.CFunction.Transition;
+import org.graalvm.nativeimage.c.function.CLibrary;
+import org.graalvm.nativeimage.c.type.CCharPointer;
+import org.graalvm.nativeimage.c.type.CTypeConversion;
+import org.graalvm.nativeimage.c.type.CTypeConversion.CCharPointerHolder;
+
+/**
+ * Provides Java-level access to the native {@code libextract_sbom} implementation.
+ */
+@CContext(SbomExtractLibraryDirectives.class)
+@CLibrary(value = "extract_sbom", requireStatic = true)
+public class SbomExtractLibrary {
+
+    public static int extractSbom(Path executable) {
+        CCharPointerHolder exe = CTypeConversion.toCString(executable.toAbsolutePath().toString());
+        return extractSbomNative(exe.get());
+    }
+
+    @CFunction(value = "extract_sbom", transition = Transition.NO_TRANSITION)
+    private static native int extractSbomNative(CCharPointer executable);
+
+}
+
+@Platforms(Platform.HOSTED_ONLY.class)
+class SbomExtractLibraryDirectives implements CContext.Directives {
+    /**
+     * True if {@link SbomExtractLibrary} should be linked.
+     */
+    @Override
+    public boolean isInConfiguration() {
+        return Platform.includedIn(Platform.LINUX.class) && ImageSingletons.contains(SbomExtractFeature.class);
+    }
+
+    @Override
+    public List<String> getLibraries() {
+        return List.of("elf");
+    }
+}