fix supply chain: bump cargo-cyclonedx 0.5.7, fix SBOM generation, fix rmeta test

- Bump cargo-cyclonedx from 0.5.5 to 0.5.7 (supports lockfile v4) - Generate SBOM for karapace-cli crate only (single predictable file) - Fix --output-prefix → --override-filename (CLI change in 0.5.x) - Fix rmeta tampering test: accept build failure as valid defense (cargo rejects corrupted .rmeta with compilation errors)
2026-03-26 21:43:09 +00:00 · 2026-02-22 20:31:08 +01:00 · 2026-02-22 20:31:08 +01:00 · 62b9b569be
commit 62b9b569be
parent e8c0af0ac4
12 changed files with 20 additions and 23385 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -45,9 +45,11 @@ jobs:
      - name: Build release binaries
        run: cargo build --release --workspace --target ${{ matrix.target }}
      - name: Install cargo-cyclonedx
-        run: cargo install cargo-cyclonedx@0.5.5 --locked
+        run: cargo install cargo-cyclonedx@0.5.7 --locked
      - name: Generate SBOM
-        run: cargo cyclonedx --format json --all
+        run: |
+          cargo cyclonedx --manifest-path crates/karapace-cli/Cargo.toml --format json --override-filename karapace_bom
+          mv crates/karapace-cli/karapace_bom.json .
      - name: Compute and verify checksums
        run: |
          cd target/${{ matrix.target }}/release
@ -55,13 +57,12 @@ jobs:
          sha256sum -c SHA256SUMS
      - name: Validate SBOM
        run: |
-          SBOM=$(find crates/karapace-cli -name '*.cdx.json' | head -1)
          python3 -c "
          import json
-          with open('$SBOM') as f:
+          with open('karapace_bom.json') as f:
              bom = json.load(f)
          assert 'components' in bom and len(bom['components']) > 0
-          print(f'SBOM valid: {len(bom[\"components\"])} components')
+          print(f'SBOM valid: {len(bom["components"])} components')
          "
      - name: Verify static linking (musl only)
        if: contains(matrix.target, 'musl')
--- a/.github/workflows/supply-chain-test.yml
+++ b/.github/workflows/supply-chain-test.yml
@ -41,10 +41,12 @@ jobs:
        run: cargo build --release -p karapace-cli -p karapace-dbus

      - name: Install cargo-cyclonedx
-        run: cargo install cargo-cyclonedx@0.5.5 --locked
+        run: cargo install cargo-cyclonedx@0.5.7 --locked

      - name: Generate SBOM
-        run: cargo cyclonedx --format json --output-prefix karapace
+        run: |
+          cargo cyclonedx --manifest-path crates/karapace-cli/Cargo.toml --format json --override-filename karapace_bom
+          mv crates/karapace-cli/karapace_bom.json .

      - name: Compute checksums
        run: |
@ -505,7 +507,7 @@ jobs:
          fi
          echo "PASS: Clean rebuild matches baseline after multi-rlib tampering"

-      - name: "Test: .rmeta tampering triggers rebuild"
+      - name: "Test: .rmeta tampering triggers rebuild or error"
        run: |
          set -euo pipefail
          BASELINE_HASH=$(sha256sum target/release/karapace | awk '{print $1}')
@ -516,12 +518,16 @@ jobs:
          open('$RMETA', 'wb').write(data)
          "
          done
-          cargo build --release -p karapace-cli -p karapace-dbus 2>&1 | tail -3
+          # Build may fail (cargo detects corrupted rmeta) or rebuild from source
+          if ! cargo build --release -p karapace-cli -p karapace-dbus 2>&1 | tail -5; then
+            echo "PASS: Cargo rejected tampered .rmeta files (build error = tampering detected)"
+            exit 0
+          fi
          RMETA_HASH=$(sha256sum target/release/karapace | awk '{print $1}')
          if [ "$RMETA_HASH" = "$BASELINE_HASH" ]; then
            echo "PASS: Cargo rebuilt from source, ignoring tampered .rmeta"
          else
-            echo "FATAL: .rmeta tampering changed binary hash"
+            echo "FATAL: .rmeta tampering changed binary hash without detection"
            exit 1
          fi

--- a/crates/karapace-cli/karapace-cli.cdx.json
+++ b/crates/karapace-cli/karapace-cli.cdx.json
--- a/crates/karapace-core/karapace-core.cdx.json
+++ b/crates/karapace-core/karapace-core.cdx.json
--- a/crates/karapace-dbus/karapace-dbus.cdx.json
+++ b/crates/karapace-dbus/karapace-dbus.cdx.json
--- a/crates/karapace-remote/karapace-remote.cdx.json
+++ b/crates/karapace-remote/karapace-remote.cdx.json
--- a/crates/karapace-runtime/karapace-runtime.cdx.json
+++ b/crates/karapace-runtime/karapace-runtime.cdx.json
--- a/crates/karapace-schema/karapace-schema.cdx.json
+++ b/crates/karapace-schema/karapace-schema.cdx.json
--- a/crates/karapace-server/karapace-server.cdx.json
+++ b/crates/karapace-server/karapace-server.cdx.json
--- a/crates/karapace-store/karapace-store.cdx.json
+++ b/crates/karapace-store/karapace-store.cdx.json
--- a/crates/karapace-tui/karapace-tui.cdx.json
+++ b/crates/karapace-tui/karapace-tui.cdx.json
--- a/scripts/generate-sbom.sh
+++ b/scripts/generate-sbom.sh
@ -3,8 +3,8 @@ set -euo pipefail

 command -v cargo-cyclonedx >/dev/null 2>&1 || {
    echo "Installing cargo-cyclonedx..."
-    cargo install cargo-cyclonedx@0.5.5 --locked
+    cargo install cargo-cyclonedx@0.5.7 --locked
 }

-cargo cyclonedx --format json --output-prefix karapace
-echo "SBOM written to karapace_bom.json"
+cargo cyclonedx --format json --override-filename karapace_bom
+echo "SBOM written to karapace_bom.cdx.json"