From f071b76ff1fa34119cdac933aa56b487ae9e737c Mon Sep 17 00:00:00 2001 From: arewm Date: Mon, 14 Oct 2024 15:43:49 -0400 Subject: [PATCH] explore skipping SBOM generation Signed-off-by: arewm --- task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 37 +++++++++++++++---- .../0.2/buildah-remote-oci-ta.yaml | 37 +++++++++++++++---- task/buildah-remote/0.2/buildah-remote.yaml | 37 +++++++++++++++---- task/buildah/0.2/buildah.yaml | 36 ++++++++++++++---- 5 files changed, 120 insertions(+), 28 deletions(-) diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 1718940ae7..4ce2689efc 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -23,6 +23,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |LABELS|Additional key=value labels that should be applied to the image|[]|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SKIP_SBOM|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 7ab9e9cea2..c7085c0c7b 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -82,6 +82,11 @@ spec: be made available to the build. type: string default: "" + - name: SKIP_SBOM + description: Skip SBOM-related operations. This will likely cause EC + policies to fail if enabled + type: string + default: "false" - name: SKIP_UNUSED_STAGES description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -500,6 +505,10 @@ spec: - mountPath: /shared name: shared script: | + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json" echo "Running syft on the image filesystem" @@ -587,7 +596,12 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM injection" + else + buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + fi buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -621,11 +635,16 @@ spec: cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" - # Remove tag from IMAGE while allowing registry to contain a port number. - sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" - # The SBOM_BLOB_URL is created by `cosign attach sbom`. - echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping generation of SBOM_BLOB_URL result" + echo -n "" | tee "$(results.SBOM_BLOB_URL.path)" + else + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + fi computeResources: limits: cpu: "4" @@ -653,7 +672,11 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping upload of SBOM result" + else + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + fi computeResources: limits: cpu: 200m diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 4102439d52..14f823ebf1 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -81,6 +81,11 @@ spec: to the build. name: PREFETCH_INPUT type: string + - default: "false" + description: Skip SBOM-related operations. This will likely cause EC policies + to fail if enabled + name: SKIP_SBOM + type: string - default: "true" description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -603,6 +608,10 @@ spec: IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json" echo "Running syft on the image filesystem" @@ -705,7 +714,12 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM injection" + else + buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + fi buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -739,11 +753,16 @@ spec: cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" - # Remove tag from IMAGE while allowing registry to contain a port number. - sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" - # The SBOM_BLOB_URL is created by `cosign attach sbom`. - echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping generation of SBOM_BLOB_URL result" + echo -n "" | tee "$(results.SBOM_BLOB_URL.path)" + else + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + fi securityContext: capabilities: add: @@ -779,7 +798,11 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping upload of SBOM result" + else + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + fi volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 4a22a47fb0..c052574025 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -119,6 +119,11 @@ spec: description: Additional key=value labels that should be applied to the image name: LABELS type: array + - default: "false" + description: Skip SBOM-related operations. This will likely cause EC policies + to fail if enabled + name: SKIP_SBOM + type: string - description: The platform to build on name: PLATFORM type: string @@ -579,6 +584,10 @@ spec: IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" echo "Running syft on the image filesystem" @@ -681,7 +690,12 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM injection" + else + buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + fi buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -715,11 +729,16 @@ spec: cat "$(workspaces.source.path)/image-digest" } > "$(results.IMAGE_REF.path)" - # Remove tag from IMAGE while allowing registry to contain a port number. - sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" - # The SBOM_BLOB_URL is created by `cosign attach sbom`. - echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping generation of SBOM_BLOB_URL result" + echo -n "" | tee "$(results.SBOM_BLOB_URL.path)" + else + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + fi securityContext: capabilities: add: @@ -755,7 +774,11 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping upload of SBOM result" + else + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + fi volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 8869f9123b..ad06d3b936 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -107,6 +107,10 @@ spec: description: Additional key=value labels that should be applied to the image type: array default: [] + - name: SKIP_SBOM + description: Skip SBOM-related operations. This will likely cause EC policies to fail if enabled + type: string + default: "false" results: - description: Digest of the image just built @@ -443,6 +447,10 @@ spec: memory: 1Gi cpu: 500m script: | + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" echo "Running syft on the image filesystem" @@ -530,7 +538,12 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping SBOM injection" + else + buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + fi buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -564,11 +577,16 @@ spec: cat "$(workspaces.source.path)/image-digest" } > "$(results.IMAGE_REF.path)" - # Remove tag from IMAGE while allowing registry to contain a port number. - sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" - # The SBOM_BLOB_URL is created by `cosign attach sbom`. - echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping generation of SBOM_BLOB_URL result" + echo -n "" | tee "$(results.SBOM_BLOB_URL.path)" + else + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + fi securityContext: runAsUser: 0 capabilities: @@ -592,7 +610,11 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + if [ "${SKIP_SBOM}" == "true" ]; then + echo "Skipping upload of SBOM result" + else + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + fi computeResources: limits: memory: 512Mi