Home

Awesome

AlmaLinux OS SBOM data management utilities

These utilities consist in:

Requirements

Getting started

  1. Create a Python Virtual Environment: python3.9 -m venv env
  2. Activate the Virtual Environment: source env/bin/activate
  3. Install dependencies: pip install .

Using the AlmaLinux SBOM CLI

The AlmaLinux OS SBOM CLI accepts the following arguments:

Note that you have to either provide a build-id or an rpm-package-hash

Creating an SBOM of a Build in JSON format

python alma_sbom.py --file-format cyclonedx-json --build-id 4372

Creating an SBOM of a package in XML format

python alma_sbom.py --file-format cyclonedx-xml --rpm-package-hash b00d871e204ca8cbcae72c37c53ab984fdadc3846c91fb35c315335adfe0699b

Using the AlmaLinux Git Notarization Tool

When importing git sources from CentOS, these are notarizared using Immudb, however, there are corner cases where these sources can't be notarized. For this reason, this tool has been created in order to allow AlmaLinux developers to manually notarize AlmaLinux sources that couldn't be notarized at import time.

To summarize what the tool does:

The AlmaLinux Git Notarization Tool accepts the following arguments:

There are no mandatory arguments to pass (unless strictly required to force a notarization), if you are currently in a local clone of an AlmaLinux source, you can run python /path/to/git_notarize.py. If you want to specify the folder, you should run python /path/to/git_notarize.py --local-git-repo <path to local copy of a git repo>.

Note that this tool is meant for AlmaLinux developers that have write permissions into git.almalinux.org and that have the AlmaLinux Immudb credentials required to notarize artifacts on behalf of AlmaLinux

Contributing to Alma SBOM

Any question? Found a bug? File an issue. Do you want to contribute with source code?

  1. Fork the repository on GitHub
  2. Create a new feature branch
  3. Write your change
  4. Submit a pull request