From f78037e2b11799e187ee721f50fc98bd1e938a57 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Wed, 30 Oct 2024 15:34:36 +0000 Subject: [PATCH 1/6] SBOM jsf signing --- .../common/openjdk_build_pipeline.groovy | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index fda611646..79c27de95 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1054,6 +1054,44 @@ class Build { } } } + + // Kick off the sign_temurin_jsf job to sign the SBOM + private void jsfSignSBOM() { + context.stage('SBOM Sign') { + context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..." + + def params = [ + context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"), + context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"), + context.string(name: 'UPSTREAM_DIR', value: 'workspace') + ] + + def signSHAsJob = context.build job: 'build-scripts/release/sign_temurin_jsf', + propagate: true, + parameters: params + + context.node('worker') { + // Remove any previous workspace artifacts + context.sh 'rm -rf workspace/target/* || true' + context.copyArtifacts( + projectName: 'build-scripts/release/sign_temurin_jsf', + selector: context.specific("${signSHAsJob.getNumber()}"), + filter: '**/*.sig', + fingerprintArtifacts: true, + target: 'workspace/target/', + flatten: true) + + // Archive SBOM signatures in Jenkins + try { + context.timeout(time: buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') { + context.archiveArtifacts artifacts: 'workspace/target/*.sig' + } + } catch (FlowInterruptedException e) { + throw new Exception("[ERROR] Archive artifact timeout (${buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT} HOURS) for ${downstreamJobName} has been reached. Exiting...") + } + } + } + } /* Lists and returns any compressed archived or sbom file contents of the top directory of the build node */ @@ -1824,6 +1862,8 @@ class Build { context.archiveArtifacts artifacts: 'workspace/target/*.json' } else { context.archiveArtifacts artifacts: 'workspace/target/*' + // Archive cyclone dx jars + context.archiveArtifacts artifacts: "workspace/build-scripts/jobs/${buildConfig.JAVA_TO_BUILD}-${buildConfig.TARGET_OS}-${buildConfig.ARCHITECTURE}-temurin/cyclonedx-lib/**/*.jar" } } } catch (FlowInterruptedException e) { @@ -2208,6 +2248,7 @@ class Build { if (!env.JOB_NAME.contains('pr-tester') && context.JENKINS_URL.contains('adopt')) { try { gpgSign() + jsfSignSBOM() } catch (Exception e) { context.println(e.message) currentBuild.result = 'FAILURE' From bd1b4c5ddd2311bc7d078c0ab2ab2231cc95d20e Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 2 Dec 2024 13:31:18 +0000 Subject: [PATCH 2/6] Integrate build_sign_sbom_libraries job --- .../build/common/openjdk_build_pipeline.groovy | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 79c27de95..bce96d471 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1058,15 +1058,20 @@ class Build { // Kick off the sign_temurin_jsf job to sign the SBOM private void jsfSignSBOM() { context.stage('SBOM Sign') { - context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..." + + context.println "Running build_sign_sbom_libraries to build the SBOM libraries" + def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries', + propagate: true - def params = [ + def paramsJsf = [ context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"), context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"), - context.string(name: 'UPSTREAM_DIR', value: 'workspace') + context.string(name: 'UPSTREAM_DIR', value: 'workspace'), + context.string(name:'SBOM_LIBRARY_JOB_NUMBER', value: "${buildSBOMLibrariesJob.getNumber()}") ] - def signSHAsJob = context.build job: 'build-scripts/release/sign_temurin_jsf', + context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..." + def signSBOMJob = context.build job: 'build-scripts/release/sign_temurin_jsf', propagate: true, parameters: params @@ -1075,7 +1080,7 @@ class Build { context.sh 'rm -rf workspace/target/* || true' context.copyArtifacts( projectName: 'build-scripts/release/sign_temurin_jsf', - selector: context.specific("${signSHAsJob.getNumber()}"), + selector: context.specific("${signSBOMJob.getNumber()}"), filter: '**/*.sig', fingerprintArtifacts: true, target: 'workspace/target/', From 8687693b1b9d53743fec6c69f632b9cee473b392 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 2 Dec 2024 13:46:38 +0000 Subject: [PATCH 3/6] Space --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index bce96d471..3edf03912 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1067,7 +1067,7 @@ class Build { context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"), context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"), context.string(name: 'UPSTREAM_DIR', value: 'workspace'), - context.string(name:'SBOM_LIBRARY_JOB_NUMBER', value: "${buildSBOMLibrariesJob.getNumber()}") + context.string(name: 'SBOM_LIBRARY_JOB_NUMBER', value: "${buildSBOMLibrariesJob.getNumber()}") ] context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..." From 891aa6623a50cdc55ef78e99b179e955df3717c2 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 2 Dec 2024 17:37:51 +0000 Subject: [PATCH 4/6] Archiving cyclone dx jars not needed --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 -- 1 file changed, 2 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 3edf03912..5c03b8ea8 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1867,8 +1867,6 @@ class Build { context.archiveArtifacts artifacts: 'workspace/target/*.json' } else { context.archiveArtifacts artifacts: 'workspace/target/*' - // Archive cyclone dx jars - context.archiveArtifacts artifacts: "workspace/build-scripts/jobs/${buildConfig.JAVA_TO_BUILD}-${buildConfig.TARGET_OS}-${buildConfig.ARCHITECTURE}-temurin/cyclonedx-lib/**/*.jar" } } } catch (FlowInterruptedException e) { From 421776fc75201b7424cf21fb29e9158ff7f9c169 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 9 Dec 2024 14:53:07 +0000 Subject: [PATCH 5/6] Variable name typo --- pipelines/build/common/openjdk_build_pipeline.groovy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 5c03b8ea8..fdf341fc2 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1066,14 +1066,14 @@ class Build { def paramsJsf = [ context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"), context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"), - context.string(name: 'UPSTREAM_DIR', value: 'workspace'), + context.string(name: 'UPSTREAM_DIR', value: 'workspace/target'), context.string(name: 'SBOM_LIBRARY_JOB_NUMBER', value: "${buildSBOMLibrariesJob.getNumber()}") ] context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..." def signSBOMJob = context.build job: 'build-scripts/release/sign_temurin_jsf', propagate: true, - parameters: params + parameters: paramsJsf context.node('worker') { // Remove any previous workspace artifacts From a399cb05c9bd9affc2d452ffbd8ee61e209ae020 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 16:55:06 +0000 Subject: [PATCH 6/6] archive sboms --- pipelines/build/common/openjdk_build_pipeline.groovy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index fdf341fc2..7ea5a4d03 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1081,7 +1081,7 @@ class Build { context.copyArtifacts( projectName: 'build-scripts/release/sign_temurin_jsf', selector: context.specific("${signSBOMJob.getNumber()}"), - filter: '**/*.sig', + filter: '**/*sbom*.json', fingerprintArtifacts: true, target: 'workspace/target/', flatten: true) @@ -1089,7 +1089,7 @@ class Build { // Archive SBOM signatures in Jenkins try { context.timeout(time: buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') { - context.archiveArtifacts artifacts: 'workspace/target/*.sig' + context.archiveArtifacts artifacts: 'workspace/target/*sbom*.json' } } catch (FlowInterruptedException e) { throw new Exception("[ERROR] Archive artifact timeout (${buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT} HOURS) for ${downstreamJobName} has been reached. Exiting...")