diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 9a8c1433df..362e7c7b5b 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -150,3 +150,8 @@ taskRef: kind: Task name: update-deployment +- op: replace + path: /spec/finally/0/taskRef + value: + name: show-sbom-rhdh + version: "0.1" diff --git a/task/show-sbom-rhdh/0.1/README.md b/task/show-sbom-rhdh/0.1/README.md new file mode 100644 index 0000000000..c986977133 --- /dev/null +++ b/task/show-sbom-rhdh/0.1/README.md @@ -0,0 +1,10 @@ +# show-sbom-rhdh task + +Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format. +The 'task.*' annotations are processed by Red Hat Developer Hub (RHDH) so that the log content can be rendered in its UI. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE_URL|Fully qualified image name to show SBOM for.||true| + diff --git a/task/show-sbom-rhdh/0.1/show-sbom-rhdh.yaml b/task/show-sbom-rhdh/0.1/show-sbom-rhdh.yaml new file mode 100644 index 0000000000..5b8c76846d --- /dev/null +++ b/task/show-sbom-rhdh/0.1/show-sbom-rhdh.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: show-sbom-rhdh + labels: + app.kubernetes.io/version: "0.1" + build.appstudio.redhat.com/build_type: "docker" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "containers, rhtap" + task.results.format: application/text + task.results.key: LINK_TO_SBOM + task.output.location: results +spec: + description: >- + Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format. + The 'task.*' annotations are processed by Red Hat Developer Hub (RHDH) so that the log content can be rendered in its UI. + params: + - name: IMAGE_URL + description: Fully qualified image name to show SBOM for. + type: string + results: + - description: Placeholder result meant to make RHDH identify this task as the producer of the SBOM logs. + name: LINK_TO_SBOM + steps: + - name: annotate-task + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c + script: | + #!/usr/bin/env bash + + # When this task is used in a pipelineRun triggered by Pipelines as Code, the annotations will be cleared, + # so we're re-adding them here + oc annotate taskrun $(context.taskRun.name) task.results.format=application/text + oc annotate taskrun $(context.taskRun.name) task.results.key=LINK_TO_SBOM + oc annotate taskrun $(context.taskRun.name) task.output.location=results + - name: show-sbom + image: registry.redhat.io/rhtas-tech-preview/cosign-rhel9@sha256:151f4a1e721b644bafe47bf5bfb8844ff27b95ca098cc37f3f6cbedcda79a897 + env: + - name: IMAGE_URL + value: $(params.IMAGE_URL) + script: | + #!/busybox/sh + status=-1 + max_try=5 + wait_sec=2 + for run in $(seq 1 $max_try); do + status=0 + cosign download sbom $IMAGE_URL 2>>err + status=$? + if [ "$status" -eq 0 ]; then + break + fi + sleep $wait_sec + done + if [ "$status" -ne 0 ]; then + echo "Failed to get SBOM after ${max_try} tries" >&2 + cat err >&2 + fi + + # This result will be ignored by RHDH, but having it set is actually necessary for the task to be properly + # identified. For now, we're adding the image URL to the result so it won't be empty. + echo -n "$IMAGE_URL" > $(results.LINK_TO_SBOM.path) diff --git a/task/show-sbom-rhdh/OWNERS b/task/show-sbom-rhdh/OWNERS new file mode 100644 index 0000000000..aa72b50760 --- /dev/null +++ b/task/show-sbom-rhdh/OWNERS @@ -0,0 +1 @@ +Stonesoup Build Team