Skip to content

Commit b60fc63

Browse files
chmeliikchmeliik
committed
build-maven-zip: support SPDX
Detect the format of the SBOM coming from the prefetch task. Use the right '--type' argument for 'cosign attach' based on the format. Signed-off-by: Adam Cmiel <[email protected]>
1 parent 7b2e31b commit b60fc63

File tree

2 files changed

+16
-4
lines changed

2 files changed

+16
-4
lines changed

task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,7 @@ spec:
160160
161161
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
162162
if [ -f "/var/workdir/cachi2/output/bom.json" ]; then
163-
cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom-cyclonedx.json
163+
cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom.json
164164
else
165165
echo "The SBOM file for fetched artifacts is not found!"
166166
exit 1
@@ -193,7 +193,13 @@ spec:
193193
update-ca-trust
194194
fi
195195
196-
cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE"
196+
if jq -e '.bomFormat == "CycloneDX"' <sbom.json >/dev/null; then
197+
sbom_type=cyclonedx
198+
else
199+
sbom_type=spdx
200+
fi
201+
202+
cosign attach sbom --sbom sbom.json --type "$sbom_type" "$IMAGE"
197203
198204
# Remove tag from IMAGE while allowing registry to contain a port number.
199205
sbom_repo="${IMAGE%:*}"

task/build-maven-zip/0.1/build-maven-zip.yaml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ spec:
133133
134134
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
135135
if [ -f "$(workspaces.source.path)/cachi2/output/bom.json" ]; then
136-
cp -vf "$(workspaces.source.path)/cachi2/output/bom.json" ./sbom-cyclonedx.json
136+
cp -vf "$(workspaces.source.path)/cachi2/output/bom.json" ./sbom.json
137137
else
138138
echo "The SBOM file for fetched artifacts is not found!"
139139
exit 1
@@ -159,7 +159,13 @@ spec:
159159
update-ca-trust
160160
fi
161161
162-
cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE"
162+
if jq -e '.bomFormat == "CycloneDX"' < sbom.json >/dev/null; then
163+
sbom_type=cyclonedx
164+
else
165+
sbom_type=spdx
166+
fi
167+
168+
cosign attach sbom --sbom sbom.json --type "$sbom_type" "$IMAGE"
163169
164170
# Remove tag from IMAGE while allowing registry to contain a port number.
165171
sbom_repo="${IMAGE%:*}"

0 commit comments

Comments
 (0)