TNG/KernelSbom
GitHub: TNG/KernelSbom
KernelSbom 是一个为 Linux 内核构建生成 SPDX 格式软件物料清单的脚本,用于追踪构建依赖和许可证信息。
Stars: 11 | Forks: 2
|createdBy| AGENT
%% SPDX DOCUMENTS
subgraph SOURCE_GRAPH["sbom-source.spdx.json"]
SOURCE_DOC["SpdxDocument"]
SOURCE_SBOM["Sbom"]
SOURCE_TREE["File (src_tree)"]
MAINC["File (init/main.c)"]
GPL2ONLY_LICENSEEXPRESSION["LicenseExpression (GPL-2.0-only)"]
SOURCE_DOC -->|rootElement| SOURCE_SBOM
SOURCE_SBOM -->|rootElement| SOURCE_TREE
SOURCE_SBOM -->|element| SOURCE_TREE
SOURCE_SBOM -->|element| MAINC
SOURCE_SBOM -->|element| GPL2ONLY_LICENSEEXPRESSION
SOURCE_TREE -->|contains| MAINC
MAINC -->|hasDeclaredLicense| GPL2ONLY_LICENSEEXPRESSION
end
subgraph OUTPUT_GRAPH["sbom-output.spdx.json"]
OUTPUT_DOC["SpdxDocument"]
OUTPUT_SBOM["Sbom"]
PACKAGE["Package (Linux Kernel (bzImage))"]
PACKAGE_LICENSEEXPRESSION["LicenseExpression (GPL-2.0 WITH Linux-syscall-note)"]
HIGH_LEVEL_BUILD["Build (High Level)"]
CONFIG["File (.config)"]
BZIMAGE["File (arch/x86/boot/bzImage)"]
OUTPUT_DOC -->|rootElement| OUTPUT_SBOM
OUTPUT_SBOM -->|rootElement| PACKAGE
OUTPUT_SBOM -->|element| PACKAGE
OUTPUT_SBOM -->|element| BZIMAGE
OUTPUT_SBOM -->|element| PACKAGE_LICENSEEXPRESSION
OUTPUT_SBOM -->|element| HIGH_LEVEL_BUILD
OUTPUT_SBOM -->|element| CONFIG
HIGH_LEVEL_BUILD -->|configSourceUri| CONFIG
PACKAGE -->|hasDistributionArtifact| BZIMAGE
PACKAGE -->|hasDeclaredLicense| PACKAGE_LICENSEEXPRESSION
end
subgraph BUILD_GRAPH["sbom-build.spdx.json"]
BUILD_DOC["SpdxDocument"]
BUILD_SBOM["Sbom"]
LOW_LEVEL_BUILD["Build"]
OBJ_TREE["File (obj_tree)"]
VMLINUX_BIN["File (arch/x86/boot/vmlinux.bin)"]
DOTDOT["..."]
RUSTLIB["File (sources outside of src tree, e.g., rustlib/src/rust/library/core/src/lib.rs)"]
MAINC_EXTERNALMAP["ExternalMap (init/main.c)"]
BZIMAGE_EXTERNALMAP["ExternalMap (arch/x86/boot/bzImage)"]
HIGH_LEVEL_BUILD_EXTERNALMAP["ExternalMap
(Build (High Level))"] BUILD_DOC -->|rootElement| BUILD_SBOM BUILD_DOC -->|import| MAINC_EXTERNALMAP BUILD_DOC -->|import| BZIMAGE_EXTERNALMAP BUILD_DOC -->|import| HIGH_LEVEL_BUILD_EXTERNALMAP BUILD_SBOM -->|rootElement| OBJ_TREE BUILD_SBOM -->|element| OBJ_TREE BUILD_SBOM -->|element| RUSTLIB BUILD_SBOM -->|element| VMLINUX_BIN BUILD_SBOM -->|element| BZIMAGE BUILD_SBOM -->|element| LOW_LEVEL_BUILD OBJ_TREE -->|contains| VMLINUX_BIN OBJ_TREE -->|contains| BZIMAGE HIGH_LEVEL_BUILD -->|ancestorOf| LOW_LEVEL_BUILD MAINC -.->|Build| DOTDOT RUSTLIB -.->|Build| DOTDOT DOTDOT -.->|Build| VMLINUX_BIN LOW_LEVEL_BUILD -->|hasInput| VMLINUX_BIN VMLINUX_BIN -.->|Build| LOW_LEVEL_BUILD LOW_LEVEL_BUILD -->|hasOutput| BZIMAGE LOW_LEVEL_BUILD -.->|Build| BZIMAGE end ``` ### 相同的源代码和目标树 ``` flowchart TD %% SHARED ELEMENTS AGENT["SoftwareAgent"] CREATION_INFO["CreationInfo"] CREATION_INFO -->|createdBy| AGENT subgraph OUTPUT_GRAPH["sbom-output.spdx.json"] OUTPUT_DOC["SpdxDocument"] OUTPUT_SBOM["Sbom"] PACKAGE["Package (Linux Kernel (bzImage))"] BZIMAGE["File (arch/x86/boot/bzImage)"] HIGH_LEVEL_BUILD["Build (High Level)"] CONFIG["File (.config)"] PACKAGE_LICENSEEXPRESSION["LicenseExpression (GPL-2.0 WITH Linux-syscall-note)"] OUTPUT_DOC -->|rootElement| OUTPUT_SBOM OUTPUT_SBOM -->|rootElement| PACKAGE OUTPUT_SBOM -->|element| PACKAGE OUTPUT_SBOM -->|element| PACKAGE_LICENSEEXPRESSION OUTPUT_SBOM -->|element| BZIMAGE OUTPUT_SBOM -->|element| HIGH_LEVEL_BUILD OUTPUT_SBOM -->|element| CONFIG HIGH_LEVEL_BUILD -->|configSourceUri| CONFIG PACKAGE -->|hasDistributionArtifact| BZIMAGE PACKAGE -->|hasDeclaredLicense| PACKAGE_LICENSEEXPRESSION end %% SPDX DOCUMENTS subgraph BUILD_GRAPH["sbom-build.spdx.json"] BUILD_DOC["SpdxDocument"] BUILD_SBOM["Sbom"] BZIMAGE_EXTERNALMAP["ExternalMap (arch/x86/boot/bzImage)"] HIGH_LEVEL_BUILD_EXTERNALMAP["ExternalMap
(Build (High Level))"] LOW_LEVEL_BUILD["Build"] MAINC["File (init/main.c)"] GPL2ONLY_LICENSEEXPRESSION["LicenseExpression (GPL-2.0-only)"] VMLINUX_BIN["File (arch/x86/boot/vmlinux.bin)"] DOTDOT["..."] RUSTLIB["File (sources outside of src tree, e.g., rustlib/src/rust/library/core/src/lib.rs)"] BUILD_DOC -->|rootElement| BUILD_SBOM BUILD_DOC -->|import| BZIMAGE_EXTERNALMAP BUILD_DOC -->|import| HIGH_LEVEL_BUILD_EXTERNALMAP BUILD_SBOM -->|rootElement| BZIMAGE BUILD_SBOM -->|element| RUSTLIB BUILD_SBOM -->|element| MAINC BUILD_SBOM -->|element| GPL2ONLY_LICENSEEXPRESSION BUILD_SBOM -->|element| VMLINUX_BIN BUILD_SBOM -->|element| LOW_LEVEL_BUILD HIGH_LEVEL_BUILD -->|ancestorOf| LOW_LEVEL_BUILD MAINC -.->|Build| DOTDOT RUSTLIB -.->|Build| DOTDOT DOTDOT -.->|Build| VMLINUX_BIN VMLINUX_BIN -.->|Build| LOW_LEVEL_BUILD LOW_LEVEL_BUILD -->|hasInput| VMLINUX_BIN LOW_LEVEL_BUILD -->|hasOutput| BZIMAGE LOW_LEVEL_BUILD -.->|Build| BZIMAGE MAINC -->|hasDeclaredLicense| GPL2ONLY_LICENSEEXPRESSION end ``` ## 目录结构 - `sbom/` - `sbom.py` - 负责生成 SBOM 的主脚本 - `sbom/sbom/` - 主脚本使用的库模块 - `sbom/tests/` - 库模块的单元测试 - `sbom_analysis/` - 用于分析主脚本产生的输出的附加脚本。 - [sbom_analysis/cmd_graph_based_kernel_build/](sbom_analysis/cmd_graph_based_kernel_build/README.md) - 通过仅使用 cmd 图中引用的文件重建 linux 内核来验证 cmd 图的完整性。 - [sbom_analysis/cmd_graph_visualization/](sbom_analysis/cmd_graph_visualization/README.md) - cmd 图的交互式可视化 - [sbom_analysis/strace_kernel_build/](sbom_analysis/strace_kernel_build/README.md) - 使用 strace 构建内核并比较访问的文件与通过 cmd 图找到的文件 - `testdata_generation/` - 描述了 [KernelSbom-TestData](https://fileshare.tngtech.com/library/98e7e6f8-bffe-4a55-a8d2-817d4f3e51e8/KernelSbom-TestData/) 中预编译内核构建是如何生成的。 此仓库的主要贡献是 `sbom` 目录的内容,最终应将其移动到官方 [linux](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git) 源代码树的 `linux/tools/` 目录中。 ## 开发 激活虚拟环境并安装构建依赖项: ``` python3 -m venv .venv source .venv/bin/activate pip install pre-commit reuse ruff pre-commit install ``` 在提交时,`reuse lint` 将作为预提交钩子运行,以确保所有文件具有兼容的许可证头。 ## 运行测试 单元测试可在 `sbom/tests` 中找到。这些测试旨在贡献给上游 `linux` 内核仓库。 集成测试位于 `sbom_integration_tests`。这些测试不打算包含在内核仓库中,因为它们需要大量额外的文件。 ``` # 运行 unit tests python3 -m unittest discover -v -s sbom -p "test_*.py" # 运行 integration tests python3 -m unittest discover -v -s sbom_integration_tests -p "test_*.py" ```
(Build (High Level))"] BUILD_DOC -->|rootElement| BUILD_SBOM BUILD_DOC -->|import| MAINC_EXTERNALMAP BUILD_DOC -->|import| BZIMAGE_EXTERNALMAP BUILD_DOC -->|import| HIGH_LEVEL_BUILD_EXTERNALMAP BUILD_SBOM -->|rootElement| OBJ_TREE BUILD_SBOM -->|element| OBJ_TREE BUILD_SBOM -->|element| RUSTLIB BUILD_SBOM -->|element| VMLINUX_BIN BUILD_SBOM -->|element| BZIMAGE BUILD_SBOM -->|element| LOW_LEVEL_BUILD OBJ_TREE -->|contains| VMLINUX_BIN OBJ_TREE -->|contains| BZIMAGE HIGH_LEVEL_BUILD -->|ancestorOf| LOW_LEVEL_BUILD MAINC -.->|Build| DOTDOT RUSTLIB -.->|Build| DOTDOT DOTDOT -.->|Build| VMLINUX_BIN LOW_LEVEL_BUILD -->|hasInput| VMLINUX_BIN VMLINUX_BIN -.->|Build| LOW_LEVEL_BUILD LOW_LEVEL_BUILD -->|hasOutput| BZIMAGE LOW_LEVEL_BUILD -.->|Build| BZIMAGE end ``` ### 相同的源代码和目标树 ``` flowchart TD %% SHARED ELEMENTS AGENT["SoftwareAgent"] CREATION_INFO["CreationInfo"] CREATION_INFO -->|createdBy| AGENT subgraph OUTPUT_GRAPH["sbom-output.spdx.json"] OUTPUT_DOC["SpdxDocument"] OUTPUT_SBOM["Sbom"] PACKAGE["Package (Linux Kernel (bzImage))"] BZIMAGE["File (arch/x86/boot/bzImage)"] HIGH_LEVEL_BUILD["Build (High Level)"] CONFIG["File (.config)"] PACKAGE_LICENSEEXPRESSION["LicenseExpression (GPL-2.0 WITH Linux-syscall-note)"] OUTPUT_DOC -->|rootElement| OUTPUT_SBOM OUTPUT_SBOM -->|rootElement| PACKAGE OUTPUT_SBOM -->|element| PACKAGE OUTPUT_SBOM -->|element| PACKAGE_LICENSEEXPRESSION OUTPUT_SBOM -->|element| BZIMAGE OUTPUT_SBOM -->|element| HIGH_LEVEL_BUILD OUTPUT_SBOM -->|element| CONFIG HIGH_LEVEL_BUILD -->|configSourceUri| CONFIG PACKAGE -->|hasDistributionArtifact| BZIMAGE PACKAGE -->|hasDeclaredLicense| PACKAGE_LICENSEEXPRESSION end %% SPDX DOCUMENTS subgraph BUILD_GRAPH["sbom-build.spdx.json"] BUILD_DOC["SpdxDocument"] BUILD_SBOM["Sbom"] BZIMAGE_EXTERNALMAP["ExternalMap (arch/x86/boot/bzImage)"] HIGH_LEVEL_BUILD_EXTERNALMAP["ExternalMap
(Build (High Level))"] LOW_LEVEL_BUILD["Build"] MAINC["File (init/main.c)"] GPL2ONLY_LICENSEEXPRESSION["LicenseExpression (GPL-2.0-only)"] VMLINUX_BIN["File (arch/x86/boot/vmlinux.bin)"] DOTDOT["..."] RUSTLIB["File (sources outside of src tree, e.g., rustlib/src/rust/library/core/src/lib.rs)"] BUILD_DOC -->|rootElement| BUILD_SBOM BUILD_DOC -->|import| BZIMAGE_EXTERNALMAP BUILD_DOC -->|import| HIGH_LEVEL_BUILD_EXTERNALMAP BUILD_SBOM -->|rootElement| BZIMAGE BUILD_SBOM -->|element| RUSTLIB BUILD_SBOM -->|element| MAINC BUILD_SBOM -->|element| GPL2ONLY_LICENSEEXPRESSION BUILD_SBOM -->|element| VMLINUX_BIN BUILD_SBOM -->|element| LOW_LEVEL_BUILD HIGH_LEVEL_BUILD -->|ancestorOf| LOW_LEVEL_BUILD MAINC -.->|Build| DOTDOT RUSTLIB -.->|Build| DOTDOT DOTDOT -.->|Build| VMLINUX_BIN VMLINUX_BIN -.->|Build| LOW_LEVEL_BUILD LOW_LEVEL_BUILD -->|hasInput| VMLINUX_BIN LOW_LEVEL_BUILD -->|hasOutput| BZIMAGE LOW_LEVEL_BUILD -.->|Build| BZIMAGE MAINC -->|hasDeclaredLicense| GPL2ONLY_LICENSEEXPRESSION end ``` ## 目录结构 - `sbom/` - `sbom.py` - 负责生成 SBOM 的主脚本 - `sbom/sbom/` - 主脚本使用的库模块 - `sbom/tests/` - 库模块的单元测试 - `sbom_analysis/` - 用于分析主脚本产生的输出的附加脚本。 - [sbom_analysis/cmd_graph_based_kernel_build/](sbom_analysis/cmd_graph_based_kernel_build/README.md) - 通过仅使用 cmd 图中引用的文件重建 linux 内核来验证 cmd 图的完整性。 - [sbom_analysis/cmd_graph_visualization/](sbom_analysis/cmd_graph_visualization/README.md) - cmd 图的交互式可视化 - [sbom_analysis/strace_kernel_build/](sbom_analysis/strace_kernel_build/README.md) - 使用 strace 构建内核并比较访问的文件与通过 cmd 图找到的文件 - `testdata_generation/` - 描述了 [KernelSbom-TestData](https://fileshare.tngtech.com/library/98e7e6f8-bffe-4a55-a8d2-817d4f3e51e8/KernelSbom-TestData/) 中预编译内核构建是如何生成的。 此仓库的主要贡献是 `sbom` 目录的内容,最终应将其移动到官方 [linux](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git) 源代码树的 `linux/tools/` 目录中。 ## 开发 激活虚拟环境并安装构建依赖项: ``` python3 -m venv .venv source .venv/bin/activate pip install pre-commit reuse ruff pre-commit install ``` 在提交时,`reuse lint` 将作为预提交钩子运行,以确保所有文件具有兼容的许可证头。 ## 运行测试 单元测试可在 `sbom/tests` 中找到。这些测试旨在贡献给上游 `linux` 内核仓库。 集成测试位于 `sbom_integration_tests`。这些测试不打算包含在内核仓库中,因为它们需要大量额外的文件。 ``` # 运行 unit tests python3 -m unittest discover -v -s sbom -p "test_*.py" # 运行 integration tests python3 -m unittest discover -v -s sbom_integration_tests -p "test_*.py" ```
标签:Cutter, Linux内核, SBOM生成, SPDX格式, 依赖关系图, 内核构建, 安全渗透, 开源软件管理, 构建依赖分析, 网络安全研究, 跌倒检测, 软件供应链安全, 软件物料清单, 远程方法调用, 逆向工具