postgres icon indicating copy to clipboard operation
postgres copied to clipboard
verified publisher icon supabase

feat: sbom generation ubuntu and nix packages

Open samrose opened this issue 2 months ago • 1 comments

Files Created/Modified:

New Files:

  • nix/packages/sbom/ - Go package directory with:
    • default.nix - Nix package definition
    • go.mod - Go module file
    • cmd/sbom/main.go - CLI with ubuntu/nix/combined subcommands
    • internal/spdx/types.go - SPDX document structures
    • internal/ubuntu/generator.go - Ubuntu dpkg package scanner
    • internal/nix/wrapper.go - sbomnix wrapper
    • internal/merge/merger.go - SBOM merger

Modified Files:

  • flake.nix - Added sbomnix input
  • flake.lock - Updated with sbomnix
  • nix/packages/default.nix - Registered sbom packages
  • nix/fmt.nix - Added gofmt and excludes for .sum and vendor/
  • nix/devShells.nix - Added Go tools, sbom, sbomnix, spdx-tools
  • nix/checks.nix - Added sbom-builds and sbomnix-available checks
  • scripts/nix-provision.sh - Added SBOM generation step
  • stage2-nix-psql.pkr.hcl - Added provisioner to download SBOM
  • .github/workflows/ami-release-nix.yml - Added SBOM upload to S3 (staging and prod)

New Packages:

  • sbom - Main Go binary
  • sbom-generator - Combined Ubuntu+Nix SBOM generator
  • sbom-ubuntu - Ubuntu-only SBOM generator
  • sbom-nix - Nix-only SBOM generator (wraps sbomnix)
  • sbomnix - Upstream sbomnix tool

New Checks:

  • sbom-builds - Verifies the sbom binary builds and runs
  • sbomnix-available - Verifies sbomnix is functional

CI Integration:

At release time, the SBOM will be:

  1. Generated during packer provisioning (on the actual AMI)
  2. Downloaded from the instance
  3. Uploaded to s3://{bucket}/manifests/postgres-{version}/sbom.spdx.json

samrose avatar Dec 09 '25 20:12 samrose

:white_check_mark: Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
:white_check_mark: Code Security 0 0 0 0 0 issues

:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

snyk-io[bot] avatar Dec 09 '25 20:12 snyk-io[bot]

[!IMPORTANT]

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
  • [ ] Commit unit tests in branch sbom-create

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Dec 18 '25 13:12 coderabbitai[bot]