From b1018cf921811a7ab556f3ce6c88f43aa41f51a0 Mon Sep 17 00:00:00 2001
From: Luiz Carvalho <lucarval@redhat.com>
Date: Thu, 12 Sep 2024 17:06:26 -0400
Subject: [PATCH] Include Image Index digest in PROCESSED_IMAGES

In order to fix KFLUXBUGS-1616, we need to ensure the digest of the
Image Index is also included in the list of PROCESSED_IMAGES. This will
allow EC to verify the Image Index directly as well as the Image
Manifests.

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
---
 task/clair-scan/0.1/clair-scan.yaml                         | 6 +++++-
 task/clamav-scan/0.1/clamav-scan.yaml                       | 5 +++++
 task/deprecated-image-check/0.4/deprecated-image-check.yaml | 6 ++++++
 task/sbom-json-check/0.1/sbom-json-check.yaml               | 5 +++++
 task/sbom-json-check/0.2/sbom-json-check.yaml               | 5 +++++
 5 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/task/clair-scan/0.1/clair-scan.yaml b/task/clair-scan/0.1/clair-scan.yaml
index 3701dffe71..e87d976e34 100644
--- a/task/clair-scan/0.1/clair-scan.yaml
+++ b/task/clair-scan/0.1/clair-scan.yaml
@@ -113,9 +113,13 @@ spec:
           fi
         done
 
+        # If the image is an Image Index, also add the Image Index digest to the list.
+        if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then
+          digests_processed+=("\"$IMAGE_DIGEST\"")
+        fi
+
         digests_processed_string=$(IFS=,; echo "${digests_processed[*]}")
 
-        # add the image_index to the processed digests list and store the result in a file
         images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}")
         echo "$images_processed" > /tekton/home/images-processed.json
     - name: conftest-vulnerabilities
diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml
index cbdb9e1f45..4baa6da86e 100644
--- a/task/clamav-scan/0.1/clamav-scan.yaml
+++ b/task/clamav-scan/0.1/clamav-scan.yaml
@@ -145,6 +145,11 @@ spec:
             "note" : (if .result == "" or ($item.result == "SKIPPED" and .result == "SUCCESS") or ($item.result == "WARNING" and (.result == "SUCCESS" or .result == "SKIPPED")) or ($item.result == "FAILURE" and .result != "ERROR") or $item.result == "ERROR" then $item.note else .note end)
             })' /work/logs/clamscan-ec-test-*.json | tee $(results.TEST_OUTPUT.path)
 
+        # If the image is an Image Index, also add the Image Index digest to the list.
+        if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then
+          digests_processed+=("\"$IMAGE_DIGEST\"")
+        fi
+
         digests_processed_string=$(IFS=,; echo "${digests_processed[*]}")
         echo "${images_processed_template/\[%s]/[$digests_processed_string]}" | tee $(results.IMAGES_PROCESSED.path)
       volumeMounts:
diff --git a/task/deprecated-image-check/0.4/deprecated-image-check.yaml b/task/deprecated-image-check/0.4/deprecated-image-check.yaml
index 2e0f5eec72..222753f873 100644
--- a/task/deprecated-image-check/0.4/deprecated-image-check.yaml
+++ b/task/deprecated-image-check/0.4/deprecated-image-check.yaml
@@ -99,6 +99,12 @@ spec:
             digests_processed+=("\"$arch_sha\"")
           done < <(echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"')
         fi
+
+        # If the image is an Image Index, also add the Image Index digest to the list.
+        if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then
+          digests_processed+=("\"$IMAGE_DIGEST\"")
+        fi
+
         digests_processed_string=$(IFS=,; echo "${digests_processed[*]}")
 
         if [ -n "${BASE_IMAGES_DIGESTS}" ];
diff --git a/task/sbom-json-check/0.1/sbom-json-check.yaml b/task/sbom-json-check/0.1/sbom-json-check.yaml
index 94ac46b851..e17ca78c44 100644
--- a/task/sbom-json-check/0.1/sbom-json-check.yaml
+++ b/task/sbom-json-check/0.1/sbom-json-check.yaml
@@ -84,6 +84,11 @@ spec:
         done < <(echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"')
       fi
 
+      # If the image is an Image Index, also add the Image Index digest to the list.
+      if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then
+        digests_processed+=("\"$IMAGE_DIGEST\"")
+      fi
+
       # arrays to keep count of successful and failed checks
       successes=()
       failures=()
diff --git a/task/sbom-json-check/0.2/sbom-json-check.yaml b/task/sbom-json-check/0.2/sbom-json-check.yaml
index 94ac46b851..e17ca78c44 100644
--- a/task/sbom-json-check/0.2/sbom-json-check.yaml
+++ b/task/sbom-json-check/0.2/sbom-json-check.yaml
@@ -84,6 +84,11 @@ spec:
         done < <(echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"')
       fi
 
+      # If the image is an Image Index, also add the Image Index digest to the list.
+      if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then
+        digests_processed+=("\"$IMAGE_DIGEST\"")
+      fi
+
       # arrays to keep count of successful and failed checks
       successes=()
       failures=()