diff --git a/icm-injection-scripts/Containerfile b/icm-injection-scripts/Containerfile new file mode 100644 index 00000000..a2ec4fbd --- /dev/null +++ b/icm-injection-scripts/Containerfile @@ -0,0 +1,16 @@ +FROM quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + +WORKDIR /scripts + +COPY scripts/inject-icm.sh /scripts + +LABEL \ + description="Inject an ICM (image content manifest) file with content sets for backwards compatibility." \ + io.k8s.description="Inject an ICM (image content manifest) file with content sets for backwards compatibility." \ + summary="Inject an ICM (image content manifest) file" \ + io.k8s.display-name="Inject an ICM (image content manifest) file" \ + name="Inject an ICM (image content manifest) file" \ + com.redhat.component="inject-icm" + +ENTRYPOINT ["/scripts/inject-icm.sh"] + diff --git a/icm-injection-scripts/scripts/inject-icm.sh b/icm-injection-scripts/scripts/inject-icm.sh new file mode 100755 index 00000000..76f94bf3 --- /dev/null +++ b/icm-injection-scripts/scripts/inject-icm.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# Inject an ICM (image content manifest) file with content sets for backwards compatibility +# +# https://github.com/containerbuildsystem/atomic-reactor/blob/master/atomic_reactor/schemas/content_manifest.json +# +# This is not a file we want to inject always into the future, but older Red +# Hat build systems injected a file like this and some third-party scanners +# depend on it in order to map rpms found in each layer to CPE ids, to match +# them with vulnerability data. In the future, those scanners should port to +# using the dnf db and/or SBOMs to make that same match. Consider this +# deprecated. +# +# This is only possible for images built hermetically with prefetch + +set -euo pipefail + +IMAGE="${1}" +SQUASH="${SQUASH:-false}" + +icm_filename="content-sets.json" +location="/root/buildinfo/content_manifests/${icm_filename}" + +if [ ! -f "./sbom-cachi2.json" ]; then + echo "Could not find sbom-cachi2.json. No content_sets found for ICM" + exit 0 +fi + +echo "Extracting annotations to copy to the modified image" +base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') +base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + +echo "Creating container from $IMAGE" +CONTAINER=$(buildah from --pull-never $IMAGE) + +echo "Preparing construction of $location for container $CONTAINER to be committed back as $IMAGE (squash: $SQUASH)" +cat >content-sets.json < content-sets.json.tmp + mv content-sets.json.tmp content-sets.json +done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" + +echo "Constructed the following:" +cat content-sets.json + +echo "Writing that to $location" +buildah copy "$CONTAINER" content-sets.json /root/buildinfo/content_manifests/ +buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$CONTAINER" + +BUILDAH_ARGS=() +if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") +fi + +echo "Committing that back to $IMAGE" +buildah commit "${BUILDAH_ARGS[@]}" "$CONTAINER" "$IMAGE"