From 0d5432a04dbfb78b582c808856f912b412b1201b Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 17 Jan 2024 13:18:02 -0600 Subject: [PATCH] Add support for hosting SPDX-2 SBOMs alongside release artifacts (#2359) --- downloads/api.py | 2 +- .../0010_releasefile_sbom_spdx2_file.py | 18 ++++++++++++++++++ downloads/models.py | 3 +++ downloads/serializers.py | 1 + downloads/templatetags/download_tags.py | 5 +++++ templates/downloads/release_detail.html | 7 +++++++ 6 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 downloads/migrations/0010_releasefile_sbom_spdx2_file.py diff --git a/downloads/api.py b/downloads/api.py index e58023dbf..73eb9b7bf 100644 --- a/downloads/api.py +++ b/downloads/api.py @@ -69,7 +69,7 @@ class Meta(GenericResource.Meta): 'creator', 'last_modified_by', 'os', 'release', 'description', 'is_source', 'url', 'gpg_signature_file', 'md5_sum', 'filesize', 'download_button', 'sigstore_signature_file', - 'sigstore_cert_file', 'sigstore_bundle_file', + 'sigstore_cert_file', 'sigstore_bundle_file', 'sbom_spdx2_file', ] filtering = { 'name': ('exact',), diff --git a/downloads/migrations/0010_releasefile_sbom_spdx2_file.py b/downloads/migrations/0010_releasefile_sbom_spdx2_file.py new file mode 100644 index 000000000..f3a4784e9 --- /dev/null +++ b/downloads/migrations/0010_releasefile_sbom_spdx2_file.py @@ -0,0 +1,18 @@ +# Generated by Django 2.2.24 on 2024-01-12 21:04 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('downloads', '0009_releasefile_sigstore_bundle_file'), + ] + + operations = [ + migrations.AddField( + model_name='releasefile', + name='sbom_spdx2_file', + field=models.URLField(blank=True, help_text='SPDX-2 SBOM URL', verbose_name='SPDX-2 SBOM URL'), + ), + ] diff --git a/downloads/models.py b/downloads/models.py index 6d91534ac..4a9c5781c 100644 --- a/downloads/models.py +++ b/downloads/models.py @@ -332,6 +332,9 @@ class ReleaseFile(ContentManageable, NameSlugModel): sigstore_bundle_file = models.URLField( "Sigstore Bundle URL", blank=True, help_text="Sigstore Bundle URL" ) + sbom_spdx2_file = models.URLField( + "SPDX-2 SBOM URL", blank=True, help_text="SPDX-2 SBOM URL" + ) md5_sum = models.CharField('MD5 Sum', max_length=200, blank=True) filesize = models.IntegerField(default=0) download_button = models.BooleanField(default=False, help_text="Use for the supernav download button for this OS") diff --git a/downloads/serializers.py b/downloads/serializers.py index 67bde5b5c..1ff57049f 100644 --- a/downloads/serializers.py +++ b/downloads/serializers.py @@ -49,4 +49,5 @@ class Meta: 'sigstore_signature_file', 'sigstore_cert_file', 'sigstore_bundle_file', + 'sbom_spdx2_file', ) diff --git a/downloads/templatetags/download_tags.py b/downloads/templatetags/download_tags.py index fb3496787..57004ccb4 100644 --- a/downloads/templatetags/download_tags.py +++ b/downloads/templatetags/download_tags.py @@ -14,3 +14,8 @@ def has_sigstore_materials(files): f.sigstore_bundle_file or f.sigstore_cert_file or f.sigstore_signature_file for f in files ) + + +@register.filter +def has_sbom(files): + return any(f.sbom_spdx2_file for f in files) diff --git a/templates/downloads/release_detail.html b/templates/downloads/release_detail.html index b68b69a66..730b9b273 100644 --- a/templates/downloads/release_detail.html +++ b/templates/downloads/release_detail.html @@ -2,6 +2,7 @@ {% load boxes %} {% load sitetree %} {% load has_sigstore_materials from download_tags %} +{% load has_sbom from download_tags %} {% block body_attributes %}class="python downloads"{% endblock %} @@ -53,6 +54,9 @@

Files

{% if release_files|has_sigstore_materials %} Sigstore {% endif %} + {% if release_files|has_sbom %} + SBOM + {% endif %} @@ -72,6 +76,9 @@

Files

{% if f.sigstore_signature_file %}SIG{% endif %} {% endif %} {% endif %} + {% if release_files|has_sbom %} + {% if f.sbom_spdx2_file %}SPDX{% endif %} + {% endif %} {% endfor %}