From 71273de17096fb505eab6a97e8ee38dd924468cd Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 17 Sep 2024 12:22:21 -0400 Subject: [PATCH] De-duplicate attachment of OCI artifacts In PSSECAUT-605, a user reports that there is some funny behavior that is likely due to us invoking oras attach *twice* here. There's no good reason to do it twice. Let's instead invoke it once, without specifying the distribution spec, and let oras choose for us. --- task/clamav-scan/0.1/clamav-scan.yaml | 6 ++---- task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml | 6 ++---- task/sast-snyk-check/0.2/sast-snyk-check.yaml | 6 ++---- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml index 5bf779fca2..21f2791a97 100644 --- a/task/clamav-scan/0.1/clamav-scan.yaml +++ b/task/clamav-scan/0.1/clamav-scan.yaml @@ -197,10 +197,8 @@ spec: echo "Selecting auth" select-oci-auth $IMAGE_URL > $HOME/auth.json - echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" - oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}" - echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" - oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}" volumeMounts: - mountPath: /work name: work diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml index 1eb3117356..1540e8c557 100644 --- a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml @@ -146,7 +146,5 @@ spec: echo "Selecting auth" select-oci-auth $IMAGE_URL >$HOME/auth.json - echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" - oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" - echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" - oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" diff --git a/task/sast-snyk-check/0.2/sast-snyk-check.yaml b/task/sast-snyk-check/0.2/sast-snyk-check.yaml index c2e7fbf789..6c2e4262dd 100644 --- a/task/sast-snyk-check/0.2/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.2/sast-snyk-check.yaml @@ -122,9 +122,7 @@ spec: echo "Selecting auth" select-oci-auth $IMAGE_URL > $HOME/auth.json - echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" - oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" - echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" - oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" workspaces: - name: workspace