konflux-ci · midnightercz · Oct 15, 2024 · Oct 30, 2024
@@ -34,6 +34,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
 |YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
 |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
 |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
+|sbomType|The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'.|cyclonedx|false|
 
 ## Results
 |name|description|

@@ -131,6 +131,11 @@ spec:
       description: The name of the ConfigMap to read CA bundle data from.
       type: string
       default: trusted-ca
+    - name: sbomType
+      description: The type of SBOM to generate. Supported values are 'spdx'
+        and 'cyclonedx'.
+      type: string
+      default: cyclonedx
   results:
     - name: IMAGE_DIGEST
       description: Digest of the image just built
@@ -196,6 +201,8 @@ spec:
         value: $(params.IMAGE)
       - name: IMAGE_EXPIRES_AFTER
         value: $(params.IMAGE_EXPIRES_AFTER)
+      - name: SBOM_TYPE
+        value: $(params.sbomType)
       - name: SKIP_UNUSED_STAGES
         value: $(params.SKIP_UNUSED_STAGES)
       - name: SOURCE_CODE_DIR
@@ -552,10 +559,11 @@ spec:
         - mountPath: /shared
           name: shared
       script: |
+        SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && printf "spdx-json" || printf "cyclonedx-json")
         echo "Running syft on the source directory"
-        syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
+        syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output "$SYFT_FORMAT"="/var/workdir/sbom-source.json"
         echo "Running syft on the image filesystem"
-        syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
+        syft dir:"$(cat /shared/container_path)" --output "$SYFT_FORMAT"="/var/workdir/sbom-image.json"
       computeResources:
         limits:
           cpu: "2"
@@ -572,7 +580,12 @@ spec:
           name: shared
       script: |
         if [ -f /var/lib/containers/java ]; then
-          /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
+          # TODO: remove when spdx support is ready
+          if [ "$SBOM_TYPE" = "spdx" ]; then
+            echo "SPDX format is not supported yet" >&2
+            exit 1
+          fi
+          /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) --sbom-type "$SBOM_TYPE"
           sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
         else
           touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
@@ -591,20 +604,28 @@ spec:
       workingDir: /var/workdir
       script: |
         echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
-        python3 /scripts/merge_syft_sboms.py
+        if [ "$SBOM_TYPE" = "spdx" ]; then
+          echo "SPDX format is not supported yet" >&2
+          exit 1
+        fi
+        MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && printf "merge_syft_sbom_spdx.py" || printf "merge_syft_sbom.py")
+        PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && printf "create_purl_sbom_spdx.py" || printf "create_purl_sbom.py")
+        MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json")
+        python3 "/scripts/${MERGE_SCRIPT}"
 
         if [ -f "sbom-cachi2.json" ]; then
-          echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
-          python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json
-          mv sbom-temp.json sbom-cyclonedx.json
+          echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}"
+          python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" >sbom-temp.json
+          mv sbom-temp.json "${MERGE_DST}"
         fi
 
         echo "Creating sbom-purl.json"
-        python3 /scripts/create_purl_sbom.py
+        python3 "/scripts/${PURL_SCRIPT}"
 
-        echo "Adding base images data to sbom-cyclonedx.json"
+        echo "Adding base images data to ${MERGE_DST}"
         python3 /scripts/base_images_sbom_script.py \
-          --sbom=sbom-cyclonedx.json \
+          --sbom-format "$SBOM_TYPE" \
+          --sbom="${MERGE_DST}" \
           --base-images-from-dockerfile=/shared/base_images_from_dockerfile \
           --base-images-digests=/shared/base_images_digests
       computeResources:
@@ -628,6 +649,7 @@ spec:
       script: |
         #!/bin/bash
         set -e
+        MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json")
 
         ca_bundle=/mnt/trusted-ca/ca-bundle.crt
         if [ -f "$ca_bundle" ]; then
@@ -639,7 +661,7 @@ spec:
         base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
         base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
         container=$(buildah from --pull-never $IMAGE)
-        buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+        buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/
         buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
         BUILDAH_ARGS=()
@@ -675,7 +697,7 @@ spec:
 
         # Remove tag from IMAGE while allowing registry to contain a port number.
         sbom_repo="${IMAGE%:*}"
-        sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+        sbom_digest="$(sha256sum "${MERGE_DST}" | cut -d' ' -f1)"
         # The SBOM_BLOB_URL is created by `cosign attach sbom`.
         echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
       computeResources:
@@ -698,14 +720,15 @@ spec:
           name: trusted-ca
           readOnly: true
       script: |
+        MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json")
         ca_bundle=/mnt/trusted-ca/ca-bundle.crt
         if [ -f "$ca_bundle" ]; then
           echo "INFO: Using mounted CA bundle: $ca_bundle"
           cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
           update-ca-trust
         fi
 
-        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+        cosign attach sbom --sbom "${MERGE_DST}" --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")"
       computeResources:
         limits:
           cpu: 200m

@@ -136,6 +136,10 @@ spec:
       tag
     name: IMAGE_APPEND_PLATFORM
     type: string
+  - name: sbomType
+    type: string
+    description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'.
+    default: cyclonedx
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -200,6 +204,8 @@ spec:
       value: $(params.PLATFORM)
     - name: IMAGE_APPEND_PLATFORM
       value: $(params.IMAGE_APPEND_PLATFORM)
+    - name: SBOM_TYPE
+      value: $(params.sbomType)
     volumeMounts:
     - mountPath: /shared
       name: shared
@@ -705,26 +711,36 @@ spec:
     name: prepare-sboms
     script: |
       #!/bin/bash
+      # TODO: remove when spdx support is ready
+      if [ "$SBOM_TYPE" = "spdx" ]; then
+        echo "SPDX format is not supported yet" >&2
+        exit 1
+      fi
+
+      MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "merge_syft_sbom_spdx.py" || echo -n "merge_syft_sbom.py")
+      PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "create_purl_sbom_spdx.py" || echo -n "create_purl_sbom.py")
+      MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json")
       set -e
       if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
       fi
-      echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
-      python3 /scripts/merge_syft_sboms.py
+      echo "Merging contents of sbom-source.json and sbom-image.json into ${MERGE_DST}"
+      python3 /scripts/"${MERGE_SCRIPT}"
 
       if [ -f "sbom-cachi2.json" ]; then
-        echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
-        python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json
-        mv sbom-temp.json sbom-cyclonedx.json
+        echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}"
+        python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" > sbom-temp.json
+        mv sbom-temp.json "${MERGE_DST}"
       fi
 
       echo "Creating sbom-purl.json"
-      python3 /scripts/create_purl_sbom.py
+      python3 /scripts/"${PURL_SCRIPT}"
 
-      echo "Adding base images data to sbom-cyclonedx.json"
+      echo "Adding base images data to ${MERGE_DST}"
       python3 /scripts/base_images_sbom_script.py \
-        --sbom=sbom-cyclonedx.json \
+        --sbom-format "$SBOM_TYPE" \
+        --sbom="${MERGE_DST}" \
         --base-images-from-dockerfile=/shared/base_images_from_dockerfile \
         --base-images-digests=/shared/base_images_digests
     securityContext:
@@ -742,6 +758,7 @@ spec:
     script: |
       #!/bin/bash
       set -e
+      MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json")
       if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
@@ -757,7 +774,7 @@ spec:
       base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
       base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
       container=$(buildah from --pull-never $IMAGE)
-      buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+      buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/
       buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
       BUILDAH_ARGS=()

@@ -127,6 +127,10 @@ spec:
       tag
     name: IMAGE_APPEND_PLATFORM
     type: string
+  - name: sbomType
+    type: string
+    description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'.
+    default: cyclonedx
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -191,6 +195,8 @@ spec:
       value: $(params.PLATFORM)
     - name: IMAGE_APPEND_PLATFORM
       value: $(params.IMAGE_APPEND_PLATFORM)
+    - name: SBOM_TYPE
+      value: $(params.sbomType)
     volumeMounts:
     - mountPath: /shared
       name: shared
@@ -629,14 +635,15 @@ spec:
     script: |
       #!/bin/bash
       set -e
+      SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "spdx-json" || echo -n "cyclonedx-json")
       if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
       fi
       echo "Running syft on the source directory"
-      syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
+      syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output "$SYFT_FORMAT"="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json"
+      syft dir:"$(cat /shared/container_path)" --output "$SYFT_FORMAT"="$(workspaces.source.path)/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
@@ -660,7 +667,11 @@ spec:
         export IMAGE
       fi
       if [ -f /var/lib/containers/java ]; then
-        /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
+        if [ "$SBOM_TYPE" = "spdx" ]; then
+          echo "SPDX format is not supported yet" >&2
+          exit 1
+        fi
+        /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) --sbom-type "$SBOM_TYPE"
         sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
       else
         touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
@@ -684,25 +695,33 @@ spec:
     script: |
       #!/bin/bash
       set -e
+      MERGE_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "merge_syft_sbom_spdx.py" || echo -n "merge_syft_sbom.py")
+      PURL_SCRIPT=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "create_purl_sbom_spdx.py" || echo -n "create_purl_sbom.py")
+      MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json")
+      if [ "$SBOM_TYPE" = "spdx" ]; then
+        echo "SPDX format is not supported yet" >&2
+        exit 1
+      fi
       if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
       fi
-      echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
-      python3 /scripts/merge_syft_sboms.py
+      echo "Merging contents of sbom-source.json and sbom-image.json into ${MERGE_DST}"
+      python3 "/scripts/${MERGE_SCRIPT}"
 
       if [ -f "sbom-cachi2.json" ]; then
-        echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
-        python3 /scripts/merge_cachi2_sboms.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
-        mv sbom-temp.json sbom-cyclonedx.json
+        echo "Merging contents of sbom-cachi2.json into ${MERGE_DST}"
+        python3 /scripts/merge_cachi2_sboms.py --sbom-format "$SBOM_TYPE" sbom-cachi2.json "${MERGE_DST}" > sbom-temp.json
+        mv sbom-temp.json "${MERGE_DST}"
       fi
 
       echo "Creating sbom-purl.json"
-      python3 /scripts/create_purl_sbom.py
+      python3 "/scripts/${PURL_SCRIPT}"
 
-      echo "Adding base images data to sbom-cyclonedx.json"
+      echo "Adding base images data to ${MERGE_DST}"
       python3 /scripts/base_images_sbom_script.py \
-        --sbom=sbom-cyclonedx.json \
+        --sbom-format "$SBOM_TYPE" \
+        --sbom="${MERGE_DST}" \
         --base-images-from-dockerfile=/shared/base_images_from_dockerfile \
         --base-images-digests=/shared/base_images_digests
     securityContext:
@@ -720,6 +739,7 @@ spec:
     script: |
       #!/bin/bash
       set -e
+      MERGE_DST=$([ "$SBOM_TYPE" = "spdx" ] && echo -n "sbom-spdx.json" || echo -n "sbom-cyclonedx.json")
       if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
         IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
         export IMAGE
@@ -735,7 +755,7 @@ spec:
       base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
       base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
       container=$(buildah from --pull-never $IMAGE)
-      buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+      buildah copy $container "${MERGE_DST}" sbom-purl.json /root/buildinfo/content_manifests/
       buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
 
       BUILDAH_ARGS=()
@@ -771,7 +791,7 @@ spec:
 
       # Remove tag from IMAGE while allowing registry to contain a port number.
       sbom_repo="${IMAGE%:*}"
-      sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+      sbom_digest="$(sha256sum "${MERGE_DST}" | cut -d' ' -f1)"
       # The SBOM_BLOB_URL is created by `cosign attach sbom`.
       echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
     securityContext:
@@ -809,7 +829,7 @@ spec:
         update-ca-trust
       fi
 
-      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+      cosign attach sbom --sbom "${MERGE_DST}" --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
     volumeMounts:
     - mountPath: /mnt/trusted-ca
       name: trusted-ca

@@ -40,6 +40,10 @@ spec:
     description: Storage driver to configure for buildah
     type: string
     default: vfs
+  - name: sbomType
+    type: string
+    description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'.
+    default: cyclonedx
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -63,6 +67,8 @@ spec:
       value: $(params.TLSVERIFY)
     - name: BUILD_ARGS_FILE
       value: $(params.BUILD_ARGS_FILE)
+    - name : SBOM_TYPE
+      value: $(params.sbomType)
   steps:
   - name: build
     image: registry.access.redhat.com/ubi9/buildah@sha256:29402688af2b394a8400d946751520dbaea64759bbce2ef6928dc58ede6020e6
@@ -128,7 +134,8 @@ spec:
     # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
     workingDir: $(workspaces.source.path)/source
     script: |
-      syft dir:$(workspaces.source.path)/source --output [email protected]=/tmp/files/sbom-source.json
+      SYFT_FORMAT=$([ "$SBOM_TYPE" = "spdx" ] && printf "spdx-json" || printf "cyclonedx-json")
+      syft dir:$(workspaces.source.path)/source --output "$SYFT_FORMAT"=/tmp/files/sbom-source.json
       syft oci-dir:/tmp/files/image --output [email protected]=/tmp/files/sbom-image.json
     volumeMounts:
     - mountPath: /var/lib/containers