From c77e4ed55a87bc6a18172424b7fd8da1892d07ae Mon Sep 17 00:00:00 2001 From: Yashvardhan Nanavati Date: Fri, 14 Jun 2024 14:53:05 -0700 Subject: [PATCH] feat: support multi-arch images in deprecated-base-image-check task resolves #1072 KFLUXBUGS-1316 --- .../0.4/deprecated-image-check.yaml | 41 +++++++++++++++---- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/task/deprecated-image-check/0.4/deprecated-image-check.yaml b/task/deprecated-image-check/0.4/deprecated-image-check.yaml index 49f61954dd..a3204c7036 100644 --- a/task/deprecated-image-check/0.4/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.4/deprecated-image-check.yaml @@ -29,6 +29,8 @@ spec: results: - description: Tekton task test output. name: TEST_OUTPUT + - description: Images processed in the task. + name: IMAGES_PROCESSED steps: - name: check-images @@ -53,20 +55,43 @@ spec: trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT IMAGES_TO_BE_PROCESSED_PATH="/tmp/images_to_be_processed.txt" - SBOM_FILE_PATH="/tmp/sbom.json" + touch /tmp/images_to_be_processed.txt success_counter=0 failure_counter=0 error_counter=0 warnings_counter=0 - # Get base images from SBOM - cosign download sbom "${IMAGE_URL}@${IMAGE_DIGEST}" > ${SBOM_FILE_PATH} + images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' + digests_processed=() + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + # strip new-line escape symbol from parameter and save it to variable + imageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST) + + # Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes + image_manifests=$(get_image_manifests -i ${imageanddigest}) + if [ -n "$image_manifests" ]; then + while read -r arch arch_sha; do + SBOM_FILE_PATH=$(echo "/tmp/sbom-$arch.json") + arch_imageanddigest=$(echo $imagewithouttag@$arch_sha) + + # Get base images from SBOM + cosign download sbom $arch_imageanddigest > ${SBOM_FILE_PATH} + if [ $? -ne 0 ]; then + echo "Unable to download sbom for arch $arch." + continue + fi - cat ${SBOM_FILE_PATH} | jq -r '.formulation? // empty | .[] | .components? // empty | .[] | select(any((.properties // empty)[]; .name | test("^konflux:container:is_(base|builder)_image"))) | .name' > ${IMAGES_TO_BE_PROCESSED_PATH} - echo "Detected base images from SBOM:" - cat "${IMAGES_TO_BE_PROCESSED_PATH}" - echo "" + cat ${SBOM_FILE_PATH} | jq -r '.formulation? // empty | .[] | .components? // empty | .[] | select(any((.properties // empty)[]; .name | test("^konflux:container:is_(base|builder)_image"))) | .name' >> ${IMAGES_TO_BE_PROCESSED_PATH} + echo "Detected base images from $arch SBOM:" + cat "${IMAGES_TO_BE_PROCESSED_PATH}" + echo "" + + digests_processed+=("\"$arch_sha\"") + done < <(echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"') + fi + digests_processed_string=$(IFS=,; echo "${digests_processed[*]}") if [ -n "${BASE_IMAGES_DIGESTS}" ]; then @@ -148,3 +173,5 @@ spec: -s "${success_counter}" -f "${failure_counter}" -w "${warnings_counter}" -t "$note") fi echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + + echo "${images_processed_template/\[%s]/[$digests_processed_string]}" | tee $(results.IMAGES_PROCESSED.path)