explore skipping SBOM generation

Signed-off-by: arewm <[email protected]>

task/buildah-oci-ta/0.2/README.md

@@ -23,6 +23,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
 |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
 |LABELS|Additional key=value labels that should be applied to the image|[]|false|
 |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
+|SKIP_SBOM|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false|
 |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
 |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
 |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -82,6 +82,11 @@ spec:
         be made available to the build.
       type: string
       default: ""
+    - name: SKIP_SBOM
+      description: Skip SBOM-related operations. This will likely cause EC
+        policies to fail if enabled
+      type: string
+      default: "false"
     - name: SKIP_UNUSED_STAGES
       description: Whether to skip stages in Containerfile that seem unused
         by subsequent stages
@@ -500,6 +505,10 @@ spec:
         - mountPath: /shared
           name: shared
       script: |
+        if [ "${SKIP_SBOM}" == "true" ]; then
+          echo "Skipping SBOM generation"
+          exit 0
+        fi
         echo "Running syft on the source directory"
         syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
         echo "Running syft on the image filesystem"
@@ -587,7 +596,12 @@ spec:
         base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
         base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
         container=$(buildah from --pull-never $IMAGE)
-        buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+
+        if [ "${SKIP_SBOM}" == "true" ]; then
+          echo "Skipping SBOM injection"
+        else
+          buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+        fi
         buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
         BUILDAH_ARGS=()
@@ -621,11 +635,16 @@ spec:
           cat "/var/workdir/image-digest"
         } >"$(results.IMAGE_REF.path)"
 
-        # Remove tag from IMAGE while allowing registry to contain a port number.
-        sbom_repo="${IMAGE%:*}"
-        sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
-        # The SBOM_BLOB_URL is created by `cosign attach sbom`.
-        echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+        if [ "${SKIP_SBOM}" == "true" ]; then
+          echo "Skipping generation of SBOM_BLOB_URL result"
+          echo -n "" | tee "$(results.SBOM_BLOB_URL.path)"
+        else
+          # Remove tag from IMAGE while allowing registry to contain a port number.
+          sbom_repo="${IMAGE%:*}"
+          sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+          # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+          echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+        fi
       computeResources:
         limits:
           cpu: "4"
@@ -653,7 +672,11 @@ spec:
           update-ca-trust
         fi
 
-        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+         if [ "${SKIP_SBOM}" == "true" ]; then
+          echo "Skipping upload of SBOM result"
+        else
+          cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+        fi
       computeResources:
         limits:
           cpu: 200m

task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml

@@ -81,6 +81,11 @@ spec:
       to the build.
     name: PREFETCH_INPUT
     type: string
+  - default: "false"
+    description: Skip SBOM-related operations. This will likely cause EC policies
+      to fail if enabled
+    name: SKIP_SBOM
+    type: string
   - default: "true"
     description: Whether to skip stages in Containerfile that seem unused by subsequent
       stages
@@ -603,6 +608,10 @@ spec:
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
       fi
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping SBOM generation"
+        exit 0
+      fi
       echo "Running syft on the source directory"
       syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
       echo "Running syft on the image filesystem"
@@ -705,7 +714,12 @@ spec:
       base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
       base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
       container=$(buildah from --pull-never $IMAGE)
-      buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping SBOM injection"
+      else
+        buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+      fi
       buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
       BUILDAH_ARGS=()
@@ -739,11 +753,16 @@ spec:
         cat "/var/workdir/image-digest"
       } >"$(results.IMAGE_REF.path)"
 
-      # Remove tag from IMAGE while allowing registry to contain a port number.
-      sbom_repo="${IMAGE%:*}"
-      sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
-      # The SBOM_BLOB_URL is created by `cosign attach sbom`.
-      echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping generation of SBOM_BLOB_URL result"
+        echo -n "" | tee "$(results.SBOM_BLOB_URL.path)"
+      else
+        # Remove tag from IMAGE while allowing registry to contain a port number.
+        sbom_repo="${IMAGE%:*}"
+        sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+        # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+        echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+      fi
     securityContext:
       capabilities:
         add:
@@ -779,7 +798,11 @@ spec:
         update-ca-trust
       fi
 
-      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+       if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping upload of SBOM result"
+      else
+        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+      fi
     volumeMounts:
     - mountPath: /mnt/trusted-ca
       name: trusted-ca

task/buildah-remote/0.2/buildah-remote.yaml

@@ -119,6 +119,11 @@ spec:
     description: Additional key=value labels that should be applied to the image
     name: LABELS
     type: array
+  - default: "false"
+    description: Skip SBOM-related operations. This will likely cause EC policies
+      to fail if enabled
+    name: SKIP_SBOM
+    type: string
   - description: The platform to build on
     name: PLATFORM
     type: string
@@ -579,6 +584,10 @@ spec:
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
       fi
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping SBOM generation"
+        exit 0
+      fi
       echo "Running syft on the source directory"
       syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
@@ -681,7 +690,12 @@ spec:
       base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
       base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
       container=$(buildah from --pull-never $IMAGE)
-      buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping SBOM injection"
+      else
+        buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+      fi
       buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
       BUILDAH_ARGS=()
@@ -715,11 +729,16 @@ spec:
         cat "$(workspaces.source.path)/image-digest"
       } > "$(results.IMAGE_REF.path)"
 
-      # Remove tag from IMAGE while allowing registry to contain a port number.
-      sbom_repo="${IMAGE%:*}"
-      sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
-      # The SBOM_BLOB_URL is created by `cosign attach sbom`.
-      echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping generation of SBOM_BLOB_URL result"
+        echo -n "" | tee "$(results.SBOM_BLOB_URL.path)"
+      else
+        # Remove tag from IMAGE while allowing registry to contain a port number.
+        sbom_repo="${IMAGE%:*}"
+        sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+        # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+        echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+      fi
     securityContext:
       capabilities:
         add:
@@ -755,7 +774,11 @@ spec:
         update-ca-trust
       fi
 
-      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+       if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping upload of SBOM result"
+      else
+        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+      fi
     volumeMounts:
     - mountPath: /mnt/trusted-ca
       name: trusted-ca

task/buildah/0.2/buildah.yaml

@@ -107,6 +107,10 @@ spec:
     description: Additional key=value labels that should be applied to the image
     type: array
     default: []
+  - name: SKIP_SBOM
+    description: Skip SBOM-related operations. This will likely cause EC policies to fail if enabled
+    type: string
+    default: "false"
 
   results:
   - description: Digest of the image just built
@@ -443,6 +447,10 @@ spec:
         memory: 1Gi
         cpu: 500m
     script: |
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping SBOM generation"
+        exit 0
+      fi
       echo "Running syft on the source directory"
       syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
@@ -530,7 +538,12 @@ spec:
       base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
       base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
       container=$(buildah from --pull-never $IMAGE)
-      buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping SBOM injection"
+      else
+        buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+      fi
       buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
       BUILDAH_ARGS=()
@@ -564,11 +577,16 @@ spec:
         cat "$(workspaces.source.path)/image-digest"
       } > "$(results.IMAGE_REF.path)"
 
-      # Remove tag from IMAGE while allowing registry to contain a port number.
-      sbom_repo="${IMAGE%:*}"
-      sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
-      # The SBOM_BLOB_URL is created by `cosign attach sbom`.
-      echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+      if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping generation of SBOM_BLOB_URL result"
+        echo -n "" | tee "$(results.SBOM_BLOB_URL.path)"
+      else
+        # Remove tag from IMAGE while allowing registry to contain a port number.
+        sbom_repo="${IMAGE%:*}"
+        sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+        # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+        echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
+      fi
     securityContext:
       runAsUser: 0
       capabilities:
@@ -592,7 +610,11 @@ spec:
         update-ca-trust
       fi
 
-      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+       if [ "${SKIP_SBOM}" == "true" ]; then
+        echo "Skipping upload of SBOM result"
+      else
+        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+      fi
     computeResources:
       limits:
         memory: 512Mi