From b4ea7bcd52f63c52118f4b53fcc61eb6e703ad67 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Tue, 15 Oct 2024 11:41:35 +0200 Subject: [PATCH] SPDX sbom support for buildah tasks [CLOUDDST-24218] Signed-off-by: Jindrich Luza --- task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 49 ++++++++++++++----- .../0.2/buildah-remote-oci-ta.yaml | 35 +++++++++---- task/buildah-remote/0.2/buildah-remote.yaml | 48 ++++++++++++------ task/buildah-rhtap/0.1/buildah-rhtap.yaml | 9 +++- task/buildah/0.2/buildah.yaml | 48 +++++++++++++----- 6 files changed, 140 insertions(+), 50 deletions(-) diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 1718940ae7..a85c2a3149 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -34,6 +34,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|sbomType|The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'.|cyclonedx|false| ## Results |name|description| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 89b86331ea..62017d4189 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -131,6 +131,11 @@ spec: description: The name of the ConfigMap to read CA bundle data from. type: string default: trusted-ca + - name: sbomType + description: The type of SBOM to generate. Supported values are 'spdx' + and 'cyclonedx'. + type: string + default: cyclonedx results: - name: IMAGE_DIGEST description: Digest of the image just built @@ -196,6 +201,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: SBOM_TYPE + value: $(params.sbomType) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -552,10 +559,11 @@ spec: - mountPath: /shared name: shared script: | + SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && printf "spdx-json" || printf "cyclonedx-json") echo "Running syft on the source directory" - syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json" + syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output "$SYFT_FORMAT"="/var/workdir/sbom-source.json" echo "Running syft on the image filesystem" - syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json" + syft dir:"$(cat /shared/container_path)" --output "$SYFT_FORMAT"="/var/workdir/sbom-image.json" computeResources: limits: cpu: "2" @@ -572,7 +580,12 @@ spec: name: shared script: | if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + # TODO: remove when spdx support is ready + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) --sbom-type "$SBOM_TYPE" sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -591,20 +604,28 @@ spec: workingDir: /var/workdir script: | echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" - python3 /scripts/merge_syft_sboms.py + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi + MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && printf "merge_syft_sbom_spdx.py" || printf "merge_syft_sbom.py") + PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && printf "create_purl_sbom_spdx.py" || printf "create_purl_sbom.py") + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json") + python3 "/scripts/${MERGE_SCRIPT}" if [ -f "sbom-cachi2.json" ]; then - echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json - mv sbom-temp.json sbom-cyclonedx.json + echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}" + python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" >sbom-temp.json + mv sbom-temp.json "${MERGE_DST}" fi echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py + python3 "/scripts/${PURL_SCRIPT}" - echo "Adding base images data to sbom-cyclonedx.json" + echo "Adding base images data to ${MERGE_DST}" python3 /scripts/base_images_sbom_script.py \ - --sbom=sbom-cyclonedx.json \ + --sbom-format "$SBOM_TYPE" \ + --sbom="${MERGE_DST}" \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests computeResources: @@ -628,6 +649,7 @@ spec: script: | #!/bin/bash set -e + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json") ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -639,7 +661,7 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -675,7 +697,7 @@ spec: # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + sbom_digest="$(sha256sum "${MERGE_DST}" | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" computeResources: @@ -698,6 +720,7 @@ spec: name: trusted-ca readOnly: true script: | + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json") ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -705,7 +728,7 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + cosign attach sbom --sbom "${MERGE_DST}" --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")" computeResources: limits: cpu: 200m diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index dfa2988b5b..e9f45fa513 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -136,6 +136,10 @@ spec: tag name: IMAGE_APPEND_PLATFORM type: string + - name: sbomType + type: string + description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'. + default: cyclonedx results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -200,6 +204,8 @@ spec: value: $(params.PLATFORM) - name: IMAGE_APPEND_PLATFORM value: $(params.IMAGE_APPEND_PLATFORM) + - name: SBOM_TYPE + value: $(params.sbomType) volumeMounts: - mountPath: /shared name: shared @@ -705,26 +711,36 @@ spec: name: prepare-sboms script: | #!/bin/bash + # TODO: remove when spdx support is ready + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi + + MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "merge_syft_sbom_spdx.py" || echo -n "merge_syft_sbom.py") + PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "create_purl_sbom_spdx.py" || echo -n "create_purl_sbom.py") + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json") set -e if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi - echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" - python3 /scripts/merge_syft_sboms.py + echo "Merging contents of sbom-source.json and sbom-image.json into ${MERGE_DST}" + python3 /scripts/"${MERGE_SCRIPT}" if [ -f "sbom-cachi2.json" ]; then - echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json - mv sbom-temp.json sbom-cyclonedx.json + echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}" + python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" > sbom-temp.json + mv sbom-temp.json "${MERGE_DST}" fi echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py + python3 /scripts/"${PURL_SCRIPT}" - echo "Adding base images data to sbom-cyclonedx.json" + echo "Adding base images data to ${MERGE_DST}" python3 /scripts/base_images_sbom_script.py \ - --sbom=sbom-cyclonedx.json \ + --sbom-format "$SBOM_TYPE" \ + --sbom="${MERGE_DST}" \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests securityContext: @@ -742,6 +758,7 @@ spec: script: | #!/bin/bash set -e + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json") if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE @@ -757,7 +774,7 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 6df8d66149..b708788c97 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -127,6 +127,10 @@ spec: tag name: IMAGE_APPEND_PLATFORM type: string + - name: sbomType + type: string + description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'. + default: cyclonedx results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -191,6 +195,8 @@ spec: value: $(params.PLATFORM) - name: IMAGE_APPEND_PLATFORM value: $(params.IMAGE_APPEND_PLATFORM) + - name: SBOM_TYPE + value: $(params.sbomType) volumeMounts: - mountPath: /shared name: shared @@ -629,14 +635,15 @@ spec: script: | #!/bin/bash set -e + SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "spdx-json" || echo -n "cyclonedx-json") if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi echo "Running syft on the source directory" - syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" + syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output "$SYFT_FORMAT"="$(workspaces.source.path)/sbom-source.json" echo "Running syft on the image filesystem" - syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json" + syft dir:"$(cat /shared/container_path)" --output "$SYFT_FORMAT"="$(workspaces.source.path)/sbom-image.json" volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers @@ -660,7 +667,11 @@ spec: export IMAGE fi if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) --sbom-type "$SBOM_TYPE" sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -684,25 +695,33 @@ spec: script: | #!/bin/bash set -e + MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "merge_syft_sbom_spdx.py" || echo -n "merge_syft_sbom.py") + PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "create_purl_sbom_spdx.py" || echo -n "create_purl_sbom.py") + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json") + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi - echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" - python3 /scripts/merge_syft_sboms.py + echo "Merging contents of sbom-source.json and sbom-image.json into ${MERGE_DST}" + python3 "/scripts/${MERGE_SCRIPT}" if [ -f "sbom-cachi2.json" ]; then - echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json - mv sbom-temp.json sbom-cyclonedx.json + echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}" + python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" > sbom-temp.json + mv sbom-temp.json "${MERGE_DST}" fi echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py + python3 "/scripts/${PURL_SCRIPT}" - echo "Adding base images data to sbom-cyclonedx.json" + echo "Adding base images data to ${MERGE_DST}" python3 /scripts/base_images_sbom_script.py \ - --sbom=sbom-cyclonedx.json \ + --sbom-format "$SBOM_TYPE" \ + --sbom="${MERGE_DST}" \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests securityContext: @@ -720,6 +739,7 @@ spec: script: | #!/bin/bash set -e + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json") if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE @@ -735,7 +755,7 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -771,7 +791,7 @@ spec: # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + sbom_digest="$(sha256sum "${MERGE_DST}" | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" securityContext: @@ -809,7 +829,7 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + cosign attach sbom --sbom "${MERGE_DST}" --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index 218bbca0d9..c5b6ac8e91 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -40,6 +40,10 @@ spec: description: Storage driver to configure for buildah type: string default: vfs + - name: sbomType + type: string + description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'. + default: cyclonedx results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -63,6 +67,8 @@ spec: value: $(params.TLSVERIFY) - name: BUILD_ARGS_FILE value: $(params.BUILD_ARGS_FILE) + - name : SBOM_TYPE + value: $(params.sbomType) steps: - name: build image: registry.access.redhat.com/ubi9/buildah@sha256:29402688af2b394a8400d946751520dbaea64759bbce2ef6928dc58ede6020e6 @@ -128,7 +134,8 @@ spec: # (need to set the workdir, see https://github.com/anchore/syft/issues/2465) workingDir: $(workspaces.source.path)/source script: | - syft dir:$(workspaces.source.path)/source --output cyclonedx-json@1.5=/tmp/files/sbom-source.json + SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && printf "spdx-json" || printf "cyclonedx-json") + syft dir:$(workspaces.source.path)/source --output "$SYFT_FORMAT"=/tmp/files/sbom-source.json syft oci-dir:/tmp/files/image --output cyclonedx-json@1.5=/tmp/files/sbom-image.json volumeMounts: - mountPath: /var/lib/containers diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 00446717d5..56f2abc062 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -107,6 +107,10 @@ spec: description: Additional key=value labels that should be applied to the image type: array default: [] + - name: sbomType + type: string + description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'. + default: cyclonedx results: - description: Digest of the image just built @@ -166,6 +170,8 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: SBOM_TYPE + value: $(params.sbomType) steps: - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c @@ -497,10 +503,11 @@ spec: memory: 1Gi cpu: 500m script: | + SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && printf "spdx-json" || printf "cyclonedx-json") echo "Running syft on the source directory" - syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" + syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output "$SYFT_FORMAT"="$(workspaces.source.path)/sbom-source.json" echo "Running syft on the image filesystem" - syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json" + syft dir:"$(cat /shared/container_path)" --output "$SYFT_FORMAT"="$(workspaces.source.path)/sbom-image.json" volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers @@ -517,7 +524,12 @@ spec: cpu: 100m script: | if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) + # TODO: remove when spdx support is ready + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi + /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) --sbom-type "$SBOM_TYPE" sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) @@ -541,20 +553,28 @@ spec: cpu: 100m script: | echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" - python3 /scripts/merge_syft_sboms.py + if [ "$SBOM_TYPE" = "spdx" ]; then + echo "SPDX format is not supported yet" >&2 + exit 1 + fi + MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && printf "merge_syft_sbom_spdx.py" || printf "merge_syft_sbom.py") + PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && printf "create_purl_sbom_spdx.py" || printf "create_purl_sbom.py") + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json") + python3 "/scripts/${MERGE_SCRIPT}" if [ -f "sbom-cachi2.json" ]; then - echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json - mv sbom-temp.json sbom-cyclonedx.json + echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}" + python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" > sbom-temp.json + mv sbom-temp.json "${MERGE_DST}" fi echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py + python3 "/scripts/${PURL_SCRIPT}" - echo "Adding base images data to sbom-cyclonedx.json" + echo "Adding base images data to ${MERGE_DST}" python3 /scripts/base_images_sbom_script.py \ - --sbom=sbom-cyclonedx.json \ + --sbom-format "$SBOM_TYPE" \ + --sbom="${MERGE_DST}" \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests workingDir: $(workspaces.source.path) @@ -573,6 +593,7 @@ spec: script: | #!/bin/bash set -e + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json") ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -584,7 +605,7 @@ spec: base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ + buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container BUILDAH_ARGS=() @@ -620,7 +641,7 @@ spec: # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + sbom_digest="$(sha256sum "${MERGE_DST}" | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" securityContext: @@ -639,6 +660,7 @@ spec: - name: upload-sbom image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 script: | + MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json") ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -646,7 +668,7 @@ spec: update-ca-trust fi - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + cosign attach sbom --sbom "${MERGE_DST}" --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")" computeResources: limits: memory: 512Mi