Skip to content

Commit a57eb69

Browse files
cmoulliardcmoulliard
committed
- Remove the python script create_purl_sbom.py as deprecated
- Improve the code to generate the SBOM too of the build image - Remove non used parameters Signed-off-by: cmoulliard <[email protected]>
1 parent 84b6cae commit a57eb69

File tree

2 files changed

+39
-30
lines changed

2 files changed

+39
-30
lines changed

task/build-paketo-builder-oci-ta/0.1/README.md

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -4,21 +4,21 @@ The `build-paketo-builder-oci-ta` task builds a builder image (e.g. https://gith
44
The task also produces the SBOM which is signed and added to the image.
55

66
## Parameters
7-
| name | description | default value | required |
8-
|----------------------|-------------------------------------------------------------------------------------|----------------------------------------------------------------------------|----------|
9-
| BUILD_ARGS | Array of --build-arg values ("arg=value" strings) | [] | false |
10-
| BUILDER_NAME | Name of the paketo builder image containing the tools as: pack, jam, create-package | | true |
11-
| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | "" | false |
12-
| CONTEXT | Path to the directory to use as context. | . | false |
13-
| HERMETIC | Determines if build will be executed without network access. | false | false |
14-
| IMAGE | Reference of the image buildah will produce. | | true |
15-
| PLATFORM | The platform to build on | | true |
16-
| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | | true |
17-
| SOURCE_CODE_DIR | The subpath of the application source code. | "." | true |
18-
| STORAGE_DRIVER | Storage driver to configure for buildah | vfs | false |
19-
| TLSVERIFY | Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) | true | false |
20-
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false |
21-
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false |
7+
8+
| name | description | default value | required |
9+
|----------------------|-------------------------------------------------------------------------------------|---------------|----------|
10+
| BUILD_ARGS | Array of --build-arg values ("arg=value" strings) | [] | false |
11+
| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | "" | false |
12+
| CONTEXT | Path to the directory to use as context. | . | false |
13+
| HERMETIC | Determines if build will be executed without network access. | false | false |
14+
| IMAGE | Reference of the image buildah will produce. | | true |
15+
| PLATFORM | The platform to build on | | true |
16+
| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | | true |
17+
| SOURCE_CODE_DIR | The subpath of the application source code. | "." | true |
18+
| STORAGE_DRIVER | Storage driver to configure for buildah | vfs | false |
19+
| TLSVERIFY | Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) | true | false |
20+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false |
21+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false |
2222

2323
## Results
2424
|name|description|

task/build-paketo-builder-oci-ta/0.1/build-paketo-builder-oci-ta.yaml

Lines changed: 24 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ spec:
9999
stepTemplate:
100100
env:
101101
- name: BUILDER_IMAGE
102-
value: "quay.io/redhat-user-workloads/konflux-build-pipeli-tenant/paketo-container:ea8ddb8818bb4a55546927e7674b0362dabd6342"
102+
value: "quay.io/redhat-user-workloads/konflux-build-pipeli-tenant/paketo-container:2a51208449696d85b2f80444bee7bf7caa104f48 "
103103
- name: CONTEXT
104104
value: $(params.CONTEXT)
105105
- name: HERMETIC
@@ -129,7 +129,7 @@ spec:
129129
- $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
130130
- args:
131131
- "$(params.BUILD_ARGS[*])"
132-
image: "quay.io/konflux-ci/buildah-task:latest"
132+
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
133133
name: "run-script"
134134
script: |-
135135
#!/usr/bin/env bash
@@ -216,9 +216,27 @@ spec:
216216
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w source -- \
217217
pack builder create ${IMAGE} --config builder.toml ${PACK_ARGS}
218218
219-
BASE_IMAGE=$(tomljson source/builder.toml | jq '.stack."build-image"')
219+
BASE_IMAGE=$(tomljson source/builder.toml | jq -r '.stack."build-image"')
220220
podman inspect ${BASE_IMAGE} | jq -r '.[].Digest' > /shared/BASE_IMAGES_DIGESTS
221-
echo "$BASE_IMAGE" >/shared/base_images_from_dockerfile
221+
222+
echo "Create locally a Dockerfile using the build image defined part of the builder.toml file to include the BASE IMAGE"
223+
dockerfile_path=$(mktemp --suffix=-Dockerfile)
224+
cat <<EOF > $dockerfile_path
225+
FROM $BASE_IMAGE
226+
EOF
227+
228+
dockerfile-json "$dockerfile_path" >/shared/parsed_dockerfile.json
229+
230+
BASE_IMAGES=$(
231+
jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json
232+
)
233+
234+
if [ "${HERMETIC}" == "true" ]; then
235+
for image in $BASE_IMAGES; do
236+
echo "Pull the base image: $image using unshare"
237+
unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
238+
done
239+
fi
222240
223241
REMOTESSHEOF
224242
chmod +x scripts/script-build.sh
@@ -239,7 +257,6 @@ spec:
239257
REMOTESSHEOF
240258
chmod +x scripts/script-post-build.sh
241259
242-
243260
echo "Step 3 :: Execute the bash script on the VM"
244261
245262
rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
@@ -335,7 +352,6 @@ spec:
335352
export IMAGE
336353
fi
337354
338-
339355
echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
340356
python3 /scripts/merge_syft_sboms.py
341357
@@ -345,13 +361,10 @@ spec:
345361
mv sbom-temp.json sbom-cyclonedx.json
346362
fi
347363
348-
echo "Creating sbom-purl.json"
349-
python3 /scripts/create_purl_sbom.py
350-
351364
echo "Adding base images data to sbom-cyclonedx.json"
352365
python3 /scripts/base_images_sbom_script.py \
353366
--sbom=sbom-cyclonedx.json \
354-
--base-images-from-dockerfile=/shared/base_images_from_dockerfile \
367+
--parsed-dockerfile=/shared/parsed_dockerfile.json \
355368
--base-images-digests=/shared/BASE_IMAGES_DIGESTS
356369
securityContext:
357370
runAsUser: 0
@@ -383,16 +396,13 @@ spec:
383396
update-ca-trust
384397
fi
385398
386-
387399
echo "Pull the image from the OCI storage."
388-
389400
buildah --storage-driver "$STORAGE_DRIVER" pull "$IMAGE"
390401
391-
392402
echo "Copy within the container of the image the sbom files"
393403
394404
container=$(buildah --storage-driver "$STORAGE_DRIVER" from --pull-never "$IMAGE")
395-
buildah --storage-driver "$STORAGE_DRIVER" copy "$container" sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
405+
buildah --storage-driver "$STORAGE_DRIVER" copy "$container" sbom-cyclonedx.json /root/buildinfo/content_manifests/
396406
397407
BUILDAH_ARGS=()
398408
if [ "${SQUASH}" == "true" ]; then
@@ -401,7 +411,6 @@ spec:
401411
402412
buildah --storage-driver "$STORAGE_DRIVER" commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
403413
404-
405414
echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}"
406415
407416
retries=5

0 commit comments

Comments
 (0)