Expose SBOM results from oci-copy task

This is important, because it is how the enterprise contract tooling recognizes that this is an SBOM to be trusted. It won't trust just any SBOM tagged in the registry. It has to be able to find a reference to the SBOM by digest in the provenance record. https://github.com/enterprise-contract/ec-policies/blob/718386d2239dae85a866f6bcd0adbba036cd1b1d/policy/lib/sbom.rego#L26-L34
konflux-ci · Jul 6, 2024 · 3a3f14e · 3a3f14e
1 parent c316db0
commit 3a3f14e
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml
@@ -30,6 +30,8 @@ spec:
       name: IMAGE_DIGEST
     - description: Repository where the artifact was pushed
       name: IMAGE_URL
+    - description: Link to the SBOM blob pushed to the registry.
+      name: SBOM_BLOB_URL
   stepTemplate:
     env:
       - name: OCI_COPY_FILE
@@ -170,7 +172,15 @@ spec:
         - cyclonedx
         - $(params.IMAGE)
       workingDir: $(workspaces.source.path)
-
+    - name: report-sbom-url
+      image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430
+      script: |
+        REPO=$(echo ${IMAGE} | awk -F ':' '{print $1}')
+        echo "Found that ${REPO} is the repository for ${IMAGE}"
+        SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }')
+        echo "Found that ${SBOM_DIGEST} is the SBOM digest"
+        echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path)
+      workingDir: $(workspaces.source.path)
   volumes:
     - emptyDir: {}
       name: varlibcontainers