Add support for hosting SPDX-2 SBOMs alongside release artifacts (#2359)

Author: sethmlarson

downloads/api.py

@@ -69,7 +69,7 @@ class Meta(GenericResource.Meta):
             'creator', 'last_modified_by',
             'os', 'release', 'description', 'is_source', 'url', 'gpg_signature_file',
             'md5_sum', 'filesize', 'download_button', 'sigstore_signature_file',
-            'sigstore_cert_file', 'sigstore_bundle_file',
+            'sigstore_cert_file', 'sigstore_bundle_file', 'sbom_spdx2_file',
         ]
         filtering = {
             'name': ('exact',),

downloads/migrations/0010_releasefile_sbom_spdx2_file.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.24 on 2024-01-12 21:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('downloads', '0009_releasefile_sigstore_bundle_file'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='releasefile',
+            name='sbom_spdx2_file',
+            field=models.URLField(blank=True, help_text='SPDX-2 SBOM URL', verbose_name='SPDX-2 SBOM URL'),
+        ),
+    ]

downloads/models.py

@@ -332,6 +332,9 @@ class ReleaseFile(ContentManageable, NameSlugModel):
     sigstore_bundle_file = models.URLField(
         "Sigstore Bundle URL", blank=True, help_text="Sigstore Bundle URL"
     )
+    sbom_spdx2_file = models.URLField(
+        "SPDX-2 SBOM URL", blank=True, help_text="SPDX-2 SBOM URL"
+    )
     md5_sum = models.CharField('MD5 Sum', max_length=200, blank=True)
     filesize = models.IntegerField(default=0)
     download_button = models.BooleanField(default=False, help_text="Use for the supernav download button for this OS")

downloads/serializers.py

@@ -49,4 +49,5 @@ class Meta:
             'sigstore_signature_file',
             'sigstore_cert_file',
             'sigstore_bundle_file',
+            'sbom_spdx2_file',
         )

downloads/templatetags/download_tags.py

@@ -14,3 +14,8 @@ def has_sigstore_materials(files):
         f.sigstore_bundle_file or f.sigstore_cert_file or f.sigstore_signature_file
         for f in files
     )
+
+
+@register.filter
+def has_sbom(files):
+    return any(f.sbom_spdx2_file for f in files)

templates/downloads/release_detail.html

@@ -2,6 +2,7 @@
 {% load boxes %}
 {% load sitetree %}
 {% load has_sigstore_materials from download_tags %}
+{% load has_sbom from download_tags %}
 
 {% block body_attributes %}class="python downloads"{% endblock %}
 
@@ -53,6 +54,9 @@ <h1 class="page-title">Files</h1>
               {% if release_files|has_sigstore_materials %}
               <th colspan="2"><a href="https://www.python.org/download/sigstore/">Sigstore</a></th>
               {% endif %}
+              {% if release_files|has_sbom %}
+              <th>SBOM</th>
+              {% endif %}
             </tr>
           </thead>
           <tbody>
@@ -72,6 +76,9 @@ <h1 class="page-title">Files</h1>
                   <td>{% if f.sigstore_signature_file %}<a href="{{ f.sigstore_signature_file }}">SIG</a>{% endif %}</td>
                   {% endif %}
                 {% endif %}
+                {% if release_files|has_sbom %}
+                  <td>{% if f.sbom_spdx2_file %}<a href="{{ f.sbom_spdx2_file }}">SPDX</a>{% endif %}</td>
+                {% endif %}
               </tr>
             {% endfor %}
           </tbody>