oci-copy: rework SBOM generation, support SPDX (#1816)

chmeliik · web-flow · commit c516e122687b · 2025-01-28T11:33:29.000+02:00
* oci-copy: rework SBOM generation Use scripts from https://github.com/konflux-ci/build-tasks-dockerfiles instead of the previous bash script. Signed-off-by: Adam Cmiel <acmiel@redhat.com> * oci-copy: support SPDX Add SBOM_TYPE param to allow choosing the SBOM format to generate. Defaults to cyclonedx for now. Signed-off-by: Adam Cmiel <acmiel@redhat.com> --------- Signed-off-by: Adam Cmiel <acmiel@redhat.com>
diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md
@@ -9,6 +9,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
 |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
 |IMAGE|Reference of the image we will push||true|
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
+|SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx.|cyclonedx|false|
 |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
 
 ## Results
diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml
@@ -37,6 +37,11 @@ spec:
       description: Path to the oci copy file.
       type: string
       default: ./oci-copy.yaml
+    - name: SBOM_TYPE
+      description: 'Select the SBOM format to generate. Valid values: spdx,
+        cyclonedx.'
+      type: string
+      default: cyclonedx
     - name: SOURCE_ARTIFACT
       description: The Trusted Artifact URI pointing to the artifact with
         the application source code.
@@ -61,6 +66,8 @@ spec:
         value: $(params.IMAGE)
       - name: OCI_COPY_FILE
         value: $(params.OCI_COPY_FILE)
+      - name: SBOM_TYPE
+        value: $(params.SBOM_TYPE)
     volumeMounts:
       - mountPath: /var/workdir
         name: workdir
@@ -294,50 +301,39 @@ spec:
           add:
             - SETFCAP
     - name: sbom-generate
-      image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
+      image: quay.io/konflux-ci/sbom-utility-scripts@sha256:1939901046f2ec0afda6d48f32dc82f991d9a4e2b4b4513635b9c79e3d4c2872
       workingDir: /var/workdir
       script: |
         #!/bin/bash
-        cat >sbom-cyclonedx.json <<EOL
-        {
-            "\$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
-            "bomFormat": "CycloneDX",
-            "specVersion": "1.5",
-            "version": 1,
-            "components": []
-            "metadata": {
-              "component": {
-                "type": "file",
-                "name": "${IMAGE%:*}@$(cat "$(results.IMAGE_DIGEST.path)")"
-              }
-            }
-        }
-        EOL
+        set -euo pipefail
 
-        for varfile in "/var/workdir"/vars/*; do
-          echo "Reading $varfile"
-          # shellcheck source=/dev/null
-          source $varfile
+        IMAGE_URL=$(cat "$(results.IMAGE_URL.path)")
+        IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)")
+        oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE"
 
-          ENCODED_URL=$(echo "${OCI_SOURCE}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          ENCODED_FILENAME=$(echo "${OCI_FILENAME}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          purl="pkg:generic/${ENCODED_FILENAME}?download_url=${ENCODED_URL}&checksum=sha256:${OCI_ARTIFACT_DIGEST}"
+        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" \
+          --sbom-type "$SBOM_TYPE" \
+          -o sbom.json
 
-          echo "Recording purl $purl"
-          yq -oj -i '.components += [ {"purl": "'$purl'", "type": "file", "name": "'$OCI_FILENAME'", "hashes": [{"alg": "SHA-256", "content": "'$OCI_ARTIFACT_DIGEST'"}], "externalReferences": [{"type": "distribution", "url": "'$OCI_SOURCE'"}]} ]' sbom-cyclonedx.json
-        done
+        python3 /scripts/add_image_reference.py \
+          --image-url "$IMAGE_URL" \
+          --image-digest "$IMAGE_DIGEST" \
+          --input-file sbom.json \
+          --output-file /tmp/sbom.tmp.json
+
+        mv /tmp/sbom.tmp.json sbom.json
     - name: upload-sbom
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       workingDir: /var/workdir
       script: |
-        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+        cosign attach sbom --sbom sbom.json --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")"
     - name: report-sbom-url
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
       workingDir: /var/workdir
       script: |
         #!/bin/bash
         REPO=${IMAGE%:*}
         echo "Found that ${REPO} is the repository for ${IMAGE}"
-        SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }')
+        SBOM_DIGEST=$(sha256sum sbom.json | awk '{ print $1 }')
         echo "Found that ${SBOM_DIGEST} is the SBOM digest"
         echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path)
diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md
@@ -15,6 +15,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
 |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false|
 |AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. In the future, this will be reimplemented to use v4 auth: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.|does-not-exist|false|
+|SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx.|cyclonedx|false|
 
 ## Results
 |name|description|
diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml
@@ -34,6 +34,11 @@ spec:
         https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.
       type: string
       default: "does-not-exist"
+    - name: SBOM_TYPE
+      description: "Select the SBOM format to generate. Valid values: spdx, cyclonedx."
+      type: string
+      default: cyclonedx
+
   results:
     - description: Digest of the artifact just pushed
       name: IMAGE_DIGEST
@@ -49,6 +54,8 @@ spec:
         value: $(params.OCI_COPY_FILE)
       - name: IMAGE
         value: $(params.IMAGE)
+      - name: SBOM_TYPE
+        value: $(params.SBOM_TYPE)
   steps:
     - name: prepare
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
@@ -274,50 +281,39 @@ spec:
           name: varlibcontainers
       workingDir: $(workspaces.source.path)
     - name: sbom-generate
-      image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
+      image: quay.io/konflux-ci/sbom-utility-scripts@sha256:1939901046f2ec0afda6d48f32dc82f991d9a4e2b4b4513635b9c79e3d4c2872
       script: |
         #!/bin/bash
-        cat >sbom-cyclonedx.json <<EOL
-        {
-            "\$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
-            "bomFormat": "CycloneDX",
-            "specVersion": "1.5",
-            "version": 1,
-            "components": []
-            "metadata": {
-              "component": {
-                "type": "file",
-                "name": "${IMAGE%:*}@$(cat "$(results.IMAGE_DIGEST.path)")"
-              }
-            }
-        }
-        EOL
+        set -euo pipefail
 
-        for varfile in "$(workspaces.source.path)"/vars/*; do
-          echo "Reading $varfile"
-          # shellcheck source=/dev/null
-          source $varfile
+        IMAGE_URL=$(cat "$(results.IMAGE_URL.path)")
+        IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)")
+        oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE"
 
-          ENCODED_URL=$(echo "${OCI_SOURCE}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          ENCODED_FILENAME=$(echo "${OCI_FILENAME}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          purl="pkg:generic/${ENCODED_FILENAME}?download_url=${ENCODED_URL}&checksum=sha256:${OCI_ARTIFACT_DIGEST}"
+        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" \
+          --sbom-type "$SBOM_TYPE" \
+          -o sbom.json
 
-          echo "Recording purl $purl"
-          yq -oj -i '.components += [ {"purl": "'$purl'", "type": "file", "name": "'$OCI_FILENAME'", "hashes": [{"alg": "SHA-256", "content": "'$OCI_ARTIFACT_DIGEST'"}], "externalReferences": [{"type": "distribution", "url": "'$OCI_SOURCE'"}]} ]' sbom-cyclonedx.json
-        done
+        python3 /scripts/add_image_reference.py \
+          --image-url "$IMAGE_URL" \
+          --image-digest "$IMAGE_DIGEST" \
+          --input-file sbom.json \
+          --output-file /tmp/sbom.tmp.json
+
+        mv /tmp/sbom.tmp.json sbom.json
       workingDir: $(workspaces.source.path)
     - name: upload-sbom
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       workingDir: $(workspaces.source.path)
       script: |
-        cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+        cosign attach sbom --sbom sbom.json --type "$SBOM_TYPE" "$(cat "$(results.IMAGE_REF.path)")"
     - name: report-sbom-url
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
       script: |
         #!/bin/bash
         REPO=${IMAGE%:*}
         echo "Found that ${REPO} is the repository for ${IMAGE}"
-        SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }')
+        SBOM_DIGEST=$(sha256sum sbom.json | awk '{ print $1 }')
         echo "Found that ${SBOM_DIGEST} is the SBOM digest"
         echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path)
       workingDir: $(workspaces.source.path)
