feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

Merge branch 'feat/manifest_check_v4.4' into 'release/v4.4'

Browse Source 
feat: use esp-idf-sbom pre-commit plugin (v4.4)

See merge request espressif/esp-idf!27755
This commit is contained in:
Roland Dobai
2023-12-08 17:01:16 +08:00
parent ce2102eed4 22637ff824
commit 2c9fa2702e
4 changed files with 4 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.gitlab/ci/host-test.yml
View File

@@ -281,13 +281,6 @@ test_mkuf2:
- cd ${IDF_PATH}/tools/test_mkuf2
- ./test_mkuf2.py
test_sbom:
extends:
- .host_test_template
- .rules:patterns:sbom
script:
- python ${IDF_PATH}/tools/test_sbom/test_submodules.py
test_autocomplete:
extends: .host_test_template
image: $CI_DOCKER_REGISTRY/linux-shells:1

11
.gitlab/ci/rules.yml
View File

@@ -48,9 +48,6 @@
- "tools/tools.json"
- "tools/ci/test_build_system*.sh"
.patterns-sbom: &patterns-sbom
- "tools/test_sbom/*"
.patterns-custom_test: &patterns-custom_test
- "tools/ci/python_packages/gitlab_api.py"
- "tools/ci/python_packages/tiny_test_fw/**/*"
@@ -257,14 +254,6 @@
- <<: *if-dev-push
changes: *patterns-sonarqube-files
.rules:patterns:sbom:
rules:
- <<: *if-protected
- <<: *if-dev-push
changes: *patterns-sbom
- <<: *if-dev-push
changes: *patterns-submodule
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# DO NOT place comments or maintain any code from this line
#

4
.pre-commit-config.yaml
View File

@@ -123,3 +123,7 @@ repos:
hooks:
- id: file-contents-sorter
files: 'tools\/ci\/(executable-list\.txt|mypy_ignore_list\.txt)'
- repo: https://github.com/espressif/esp-idf-sbom.git
rev: v0.11.0
hooks:
- id: validate-sbom-manifest

74
tools/test_sbom/test_submodules.py
View File

@@ -1,74 +0,0 @@
# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Apache-2.0
import os
from subprocess import PIPE, run
from typing import Dict, List
def run_cmd(cmd: List[str]) -> str:
"""Simple helper to run command and return it's stdout."""
proc = run(cmd, stdout=PIPE, stderr=PIPE, check=True, universal_newlines=True)
return proc.stdout.strip()
def get_gitwdir() -> str:
"""Return absolute path to the current git working tree."""
return run_cmd(['git', 'rev-parse', '--show-toplevel'])
def get_submodules_config() -> Dict[str,Dict[str,str]]:
"""Return dictionary, where key is submodule name and value
is a dictionary with variable:value pairs."""
gitmodules_fn = os.path.join(get_gitwdir(), '.gitmodules')
gitmodules_data = run_cmd(['git', 'config', '--list', '--file', gitmodules_fn])
prefix = 'submodule.'
config: Dict[str, Dict[str,str]] = {}
for line in gitmodules_data.splitlines():
if not line.startswith(prefix):
continue
splitted = line.split('=', maxsplit=1)
if len(splitted) != 2:
continue
section, val = splitted
# remove "submodule." prefix
section = section[len(prefix):]
# split section into module name and variable
splitted = section.rsplit('.', maxsplit=1)
if len(splitted) != 2:
continue
module_name, var = splitted
if module_name not in config:
config[module_name] = {}
config[module_name][var] = val
return config
def test_sha() -> None:
""" Check that submodule SHA in git-tree and .gitmodules match
if sbom-hash variable is available in the .gitmodules file.
"""
submodules = get_submodules_config()
for name, variables in submodules.items():
sbom_hash = variables.get('sbom-hash')
if not sbom_hash:
continue
module_path = variables.get('path')
if not module_path:
continue
output = run_cmd(['git', 'ls-tree', 'HEAD', module_path])
if not output:
continue
module_hash = output.split()[2]
msg = (f'Submodule \"{name}\" SHA \"{module_hash}\" in git '
f'tree does not match SHA \"{sbom_hash}\" recorded in .gitmodules. '
f'Please update \"sbom-hash\" in .gitmodules for \"{name}\" '
f'and also please do not forget to update version and other submodule '
f'information if necessary. It is important to keep this information '
f'up-to-date for SBOM generation.')
assert module_hash == sbom_hash, msg
if __name__ == '__main__':
test_sha()