From 9f2b33b18a26dcbefc62840291e7096d6e078e34 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Tue, 14 Jan 2025 13:51:23 +0100 Subject: [PATCH] oci-copy: support SPDX Add SBOM_TYPE param to allow choosing the SBOM format to generate. Defaults to cyclonedx for now. Signed-off-by: Adam Cmiel --- task/oci-copy-oci-ta/0.1/README.md | 1 + task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 21 +++++++++++++------ task/oci-copy/0.1/README.md | 1 + task/oci-copy/0.1/oci-copy.yaml | 21 +++++++++++++------ 4 files changed, 32 insertions(+), 12 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 48eba0f77b..b75bdb4724 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -9,6 +9,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| +|SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx.|cyclonedx|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| ## Results diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 111f039c1d..a49dbb7ff1 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -37,6 +37,11 @@ spec: description: Path to the oci copy file. type: string default: ./oci-copy.yaml + - name: SBOM_TYPE + description: 'Select the SBOM format to generate. Valid values: spdx, + cyclonedx.' + type: string + default: cyclonedx - name: SOURCE_ARTIFACT description: The Trusted Artifact URI pointing to the artifact with the application source code. @@ -61,6 +66,8 @@ spec: value: $(params.IMAGE) - name: OCI_COPY_FILE value: $(params.OCI_COPY_FILE) + - name: SBOM_TYPE + value: $(params.SBOM_TYPE) volumeMounts: - mountPath: /var/workdir name: workdir @@ -304,20 +311,22 @@ spec: IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)") oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE" - python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" -o sbom-cyclonedx.json + python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" \ + --sbom-type "$SBOM_TYPE" \ + -o sbom.json python3 /scripts/add_image_reference.py \ --image-url "$IMAGE_URL" \ --image-digest "$IMAGE_DIGEST" \ - --input-file sbom-cyclonedx.json \ - --output-file /tmp/sbom-cyclonedx.tmp.json + --input-file sbom.json \ + --output-file /tmp/sbom.tmp.json - mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json + mv /tmp/sbom.tmp.json sbom.json - name: upload-sbom image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 workingDir: /var/workdir script: | - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + cosign attach sbom --sbom sbom.json --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")" - name: report-sbom-url image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21 workingDir: /var/workdir @@ -325,6 +334,6 @@ spec: #!/bin/bash REPO=${IMAGE%:*} echo "Found that ${REPO} is the repository for ${IMAGE}" - SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }') + SBOM_DIGEST=$(sha256sum sbom.json | awk '{ print $1 }') echo "Found that ${SBOM_DIGEST} is the SBOM digest" echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path) diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 5c978941fb..728aa30bdb 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -15,6 +15,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. In the future, this will be reimplemented to use v4 auth: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.|does-not-exist|false| +|SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx.|cyclonedx|false| ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 366ed9dab1..22832de0aa 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -34,6 +34,11 @@ spec: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. type: string default: "does-not-exist" + - name: SBOM_TYPE + description: "Select the SBOM format to generate. Valid values: spdx, cyclonedx." + type: string + default: cyclonedx + results: - description: Digest of the artifact just pushed name: IMAGE_DIGEST @@ -49,6 +54,8 @@ spec: value: $(params.OCI_COPY_FILE) - name: IMAGE value: $(params.IMAGE) + - name: SBOM_TYPE + value: $(params.SBOM_TYPE) steps: - name: prepare image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21 @@ -283,28 +290,30 @@ spec: IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)") oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE" - python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" -o sbom-cyclonedx.json + python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" \ + --sbom-type "$SBOM_TYPE" \ + -o sbom.json python3 /scripts/add_image_reference.py \ --image-url "$IMAGE_URL" \ --image-digest "$IMAGE_DIGEST" \ - --input-file sbom-cyclonedx.json \ - --output-file /tmp/sbom-cyclonedx.tmp.json + --input-file sbom.json \ + --output-file /tmp/sbom.tmp.json - mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json + mv /tmp/sbom.tmp.json sbom.json workingDir: $(workspaces.source.path) - name: upload-sbom image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 workingDir: $(workspaces.source.path) script: | - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + cosign attach sbom --sbom sbom.json --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")" - name: report-sbom-url image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21 script: | #!/bin/bash REPO=${IMAGE%:*} echo "Found that ${REPO} is the repository for ${IMAGE}" - SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }') + SBOM_DIGEST=$(sha256sum sbom.json | awk '{ print $1 }') echo "Found that ${SBOM_DIGEST} is the SBOM digest" echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path) workingDir: $(workspaces.source.path)