oci-copy: support SPDX

Add SBOM_TYPE param to allow choosing the SBOM format to generate.
Defaults to cyclonedx for now.

Signed-off-by: Adam Cmiel <[email protected]>

Author: chmeliik

task/oci-copy-oci-ta/0.1/README.md

@@ -9,6 +9,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
 |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
 |IMAGE|Reference of the image we will push||true|
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
+|SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx.|cyclonedx|false|
 |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
 
 ## Results

task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml

@@ -37,6 +37,11 @@ spec:
       description: Path to the oci copy file.
       type: string
       default: ./oci-copy.yaml
+    - name: SBOM_TYPE
+      description: 'Select the SBOM format to generate. Valid values: spdx,
+        cyclonedx.'
+      type: string
+      default: cyclonedx
     - name: SOURCE_ARTIFACT
       description: The Trusted Artifact URI pointing to the artifact with
         the application source code.
@@ -61,6 +66,8 @@ spec:
         value: $(params.IMAGE)
       - name: OCI_COPY_FILE
         value: $(params.OCI_COPY_FILE)
+      - name: SBOM_TYPE
+        value: $(params.SBOM_TYPE)
     volumeMounts:
       - mountPath: /var/workdir
         name: workdir
@@ -304,27 +311,29 @@ spec:
         IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)")
         oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE"
 
-        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" -o sbom-cyclonedx.json
+        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" \
+          --sbom-type "$SBOM_TYPE" \
+          -o sbom.json
 
         python3 /scripts/add_image_reference.py \
           --image-url "$IMAGE_URL" \
           --image-digest "$IMAGE_DIGEST" \
-          --input-file sbom-cyclonedx.json \
-          --output-file /tmp/sbom-cyclonedx.tmp.json
+          --input-file sbom.json \
+          --output-file /tmp/sbom.tmp.json
 
-        mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json
+        mv /tmp/sbom.tmp.json sbom.json
     - name: upload-sbom
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       workingDir: /var/workdir
       script: |
-        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+        cosign attach sbom --sbom sbom.json --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")"
     - name: report-sbom-url
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
       workingDir: /var/workdir
       script: |
         #!/bin/bash
         REPO=${IMAGE%:*}
         echo "Found that ${REPO} is the repository for ${IMAGE}"
-        SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }')
+        SBOM_DIGEST=$(sha256sum sbom.json | awk '{ print $1 }')
         echo "Found that ${SBOM_DIGEST} is the SBOM digest"
         echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path)

task/oci-copy/0.1/README.md

@@ -15,6 +15,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
 |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
 |AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. In the future, this will be reimplemented to use v4 auth: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.|does-not-exist|false|
+|SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx.|cyclonedx|false|
 
 ## Results
 |name|description|

task/oci-copy/0.1/oci-copy.yaml

@@ -34,6 +34,11 @@ spec:
         https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.
       type: string
       default: "does-not-exist"
+    - name: SBOM_TYPE
+      description: "Select the SBOM format to generate. Valid values: spdx, cyclonedx."
+      type: string
+      default: cyclonedx
+
   results:
     - description: Digest of the artifact just pushed
       name: IMAGE_DIGEST
@@ -49,6 +54,8 @@ spec:
         value: $(params.OCI_COPY_FILE)
       - name: IMAGE
         value: $(params.IMAGE)
+      - name: SBOM_TYPE
+        value: $(params.SBOM_TYPE)
   steps:
     - name: prepare
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
@@ -283,28 +290,30 @@ spec:
         IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)")
         oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE"
 
-        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" -o sbom-cyclonedx.json
+        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" \
+          --sbom-type "$SBOM_TYPE" \
+          -o sbom.json
 
         python3 /scripts/add_image_reference.py \
           --image-url "$IMAGE_URL" \
           --image-digest "$IMAGE_DIGEST" \
-          --input-file sbom-cyclonedx.json \
-          --output-file /tmp/sbom-cyclonedx.tmp.json
+          --input-file sbom.json \
+          --output-file /tmp/sbom.tmp.json
 
-        mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json
+        mv /tmp/sbom.tmp.json sbom.json
       workingDir: $(workspaces.source.path)
     - name: upload-sbom
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       workingDir: $(workspaces.source.path)
       script: |
-        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+        cosign attach sbom --sbom sbom.json --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")"
     - name: report-sbom-url
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
       script: |
         #!/bin/bash
         REPO=${IMAGE%:*}
         echo "Found that ${REPO} is the repository for ${IMAGE}"
-        SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }')
+        SBOM_DIGEST=$(sha256sum sbom.json | awk '{ print $1 }')
         echo "Found that ${SBOM_DIGEST} is the SBOM digest"
         echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path)
       workingDir: $(workspaces.source.path)