ROX-33792: Make ossls audit --export output deterministic for reproducible builds#52
Open
janisz wants to merge 2 commits into
Open
ROX-33792: Make ossls audit --export output deterministic for reproducible builds#52janisz wants to merge 2 commits into
janisz wants to merge 2 commits into
Conversation
janisz
force-pushed
the
make_it_reproducible
branch
from
0369d69 to
4fe3cc8
Compare
Adds support for reproducible builds by making export output deterministic: - Sort license files alphabetically before export - Normalize file timestamps using SOURCE_DATE_EPOCH environment variable - Falls back to current time when SOURCE_DATE_EPOCH is not set This enables byte-for-byte identical output across multiple runs when SOURCE_DATE_EPOCH is set, allowing build verification for compliance. Implementation: - Added getExportTimestamp() helper to parse SOURCE_DATE_EPOCH - Modified export() to sort dependency.Files and set timestamps with os.Chtimes() - Updated README with usage documentation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
janisz
force-pushed
the
make_it_reproducible
branch
from
4fe3cc8 to
c1ab840
Compare
janisz
added a commit
to stackrox/stackrox
that referenced
this pull request
May 6, 2026
Problem: OSS notice generation was non-deterministic, preventing Docker layer deduplication. Solution: - Update ossls to stackrox/ossls#52 (make_it_reproducible branch) - Set SOURCE_DATE_EPOCH=978307200 in ossls-notice Makefile target - Version: v0.0.0-20260506130332-c1ab840812a7 (with manifest.csv sorting) Verified: All 3313 files in THIRD_PARTY_NOTICES have identical SHA256 hashes across two clean builds. manifest.csv is now sorted alphabetically. Why: When dependencies unchanged, Docker detects identical layer content and reuses existing registry layers, saving 30-60s upload time per build. Related: stackrox/ossls#52 Partially AI-assisted. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
9 tasks
- TestGetExportTimestamp: SOURCE_DATE_EPOCH parsing (6 test cases) - TestCopyPackageJsonContents: package.json extraction (4 test cases) - TestExportDependencyFile: file export with timestamps (5 test cases) - TestExport: complete export workflow (3 test cases) - TestExportManifest: deterministic CSV generation (6 test cases) - TestReproducibleExport: end-to-end integration test - TestExportDependencyFileErrors: error path testing (3 test cases) Total: 28 test cases across 7 test functions Coverage: 100% for getExportTimestamp and exportDependencyFile, 92%+ for exportManifest, 82%+ for copyPackageJsonContents
janisz
changed the title
|
We discussed that in a meeting and we should rather check whether this can be removed completely in favor of SBOM. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for reproducible builds by making export output deterministic:
This enables byte-for-byte identical output across multiple runs when SOURCE_DATE_EPOCH is set, allowing Docker layer deduplication and build verification for compliance.
Implementation:
Refs: