Skip to content

Commit

Permalink
Add image reference to SBOM
Browse files Browse the repository at this point in the history 
The SBOM generated by the buildah task now contains the reference to the
image itself. The new script supports both spdx and cyclonedx format.

JIRA: ISV-5411

Signed-off-by: Ales Raszka <[email protected]>
  • Loading branch information
@Allda @tisutisu
Allda authored and tisutisu committed Nov 28, 2024
1 parent fa08dd6 commit e607cc2
Show file tree
Hide file tree
Showing 5 changed files with 376 additions and 322 deletions.
152 changes: 82 additions & 70 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
tekton.dev/pipelines.minVersion: 0.12.1
tekton.dev/tags: image-build, konflux
labels:
app.kubernetes.io/version: "0.2"
app.kubernetes.io/version: 0.2.1
build.appstudio.redhat.com/build_type: docker
spec:
description: |-
Expand Down Expand Up @@ -546,6 +546,75 @@ spec:
capabilities:
add:
- SETFCAP
- name: push
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
workingDir: /var/workdir
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
script: |
#!/bin/bash
set -e
retry() {
status=-1
max_run=5
sleep_sec=10
for run in $(seq 1 $max_run); do
status=0
[ "$run" -gt 1 ] && sleep $sleep_sec
"$@" && break || status=$?
done
return $status
}
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
"$IMAGE" \
"docker://${IMAGE%:*}:$(context.taskRun.name)"; then
echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries"
exit 1
fi
echo "Pushing to ${IMAGE}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
--digestfile "/var/workdir/image-digest" "$IMAGE" \
"docker://$IMAGE"; then
echo "Failed to push sbom image to $IMAGE after ${max_run} tries"
exit 1
fi
cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
securityContext:
capabilities:
add:
- SETFCAP
runAsUser: 0
- name: sbom-syft-generate
image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f
workingDir: /var/workdir/source
Expand Down Expand Up @@ -610,6 +679,18 @@ spec:
--sbom=sbom-cyclonedx.json \
--base-images-from-dockerfile=/shared/base_images_from_dockerfile \
--base-images-digests=/shared/base_images_digests
echo "Adding image reference to sbom"
IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")"
IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")"
python3 /scripts/add_image_reference.py \
--image-url "$IMAGE_URL" \
--image-digest "$IMAGE_DIGEST" \
--input-file sbom-cyclonedx.json \
--output-file /tmp/sbom-cyclonedx.tmp.json
mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json
computeResources:
limits:
cpu: 200m
Expand All @@ -619,75 +700,6 @@ spec:
memory: 256Mi
securityContext:
runAsUser: 0
- name: push
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
workingDir: /var/workdir
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
script: |
#!/bin/bash
set -e
retry() {
status=-1
max_run=5
sleep_sec=10
for run in $(seq 1 $max_run); do
status=0
[ "$run" -gt 1 ] && sleep $sleep_sec
"$@" && break || status=$?
done
return $status
}
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
"$IMAGE" \
"docker://${IMAGE%:*}:$(context.taskRun.name)"; then
echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries"
exit 1
fi
echo "Pushing to ${IMAGE}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
--digestfile "/var/workdir/image-digest" "$IMAGE" \
"docker://$IMAGE"; then
echo "Failed to push sbom image to $IMAGE after ${max_run} tries"
exit 1
fi
cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
securityContext:
capabilities:
add:
- SETFCAP
runAsUser: 0
- name: upload-sbom
image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
workingDir: /var/workdir
Expand Down
154 changes: 83 additions & 71 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
tekton.dev/tags: image-build, konflux
creationTimestamp: null
labels:
app.kubernetes.io/version: "0.2"
app.kubernetes.io/version: 0.2.1
build.appstudio.redhat.com/build_type: docker
name: buildah-remote-oci-ta
spec:
Expand Down Expand Up @@ -642,6 +642,79 @@ spec:
name: ssh
readOnly: true
workingDir: /var/workdir
- computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
name: push
script: |
#!/bin/bash
set -e
if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
export IMAGE
fi
retry() {
status=-1
max_run=5
sleep_sec=10
for run in $(seq 1 $max_run); do
status=0
[ "$run" -gt 1 ] && sleep $sleep_sec
"$@" && break || status=$?
done
return $status
}
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
"$IMAGE" \
"docker://${IMAGE%:*}:$(context.taskRun.name)"; then
echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries"
exit 1
fi
echo "Pushing to ${IMAGE}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
--digestfile "/var/workdir/image-digest" "$IMAGE" \
"docker://$IMAGE"; then
echo "Failed to push sbom image to $IMAGE after ${max_run} tries"
exit 1
fi
cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
securityContext:
capabilities:
add:
- SETFCAP
runAsUser: 0
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
workingDir: /var/workdir
- computeResources:
limits:
cpu: "2"
Expand Down Expand Up @@ -730,81 +803,20 @@ spec:
--sbom=sbom-cyclonedx.json \
--base-images-from-dockerfile=/shared/base_images_from_dockerfile \
--base-images-digests=/shared/base_images_digests
securityContext:
runAsUser: 0
workingDir: /var/workdir
- computeResources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: "1"
memory: 1Gi
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
name: push
script: |
#!/bin/bash
set -e
if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then
IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
export IMAGE
fi
retry() {
status=-1
max_run=5
sleep_sec=10
echo "Adding image reference to sbom"
IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")"
IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")"
for run in $(seq 1 $max_run); do
status=0
[ "$run" -gt 1 ] && sleep $sleep_sec
"$@" && break || status=$?
done
return $status
}
python3 /scripts/add_image_reference.py \
--image-url "$IMAGE_URL" \
--image-digest "$IMAGE_DIGEST" \
--input-file sbom-cyclonedx.json \
--output-file /tmp/sbom-cyclonedx.tmp.json
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
"$IMAGE" \
"docker://${IMAGE%:*}:$(context.taskRun.name)"; then
echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries"
exit 1
fi
echo "Pushing to ${IMAGE}"
if ! retry buildah push \
--tls-verify="$TLSVERIFY" \
--digestfile "/var/workdir/image-digest" "$IMAGE" \
"docker://$IMAGE"; then
echo "Failed to push sbom image to $IMAGE after ${max_run} tries"
exit 1
fi
cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
{
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"
mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json
securityContext:
capabilities:
add:
- SETFCAP
runAsUser: 0
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
workingDir: /var/workdir
- computeResources:
limits:
Expand Down
Loading

0 comments on commit e607cc2

Please sign in to comment.