From 9d72f4ebfdca9603b0881e8a6e0024d5f564019e Mon Sep 17 00:00:00 2001
From: mkosiarc <mkosiarc@redhat.com>
Date: Wed, 6 Mar 2024 09:28:39 +0100
Subject: [PATCH] Add a buildah task step that generates base images sbom

This steps uses a python script for creating the sbom
https://github.com/redhat-appstudio/build-tasks-dockerfiles/tree/main/base-images-sbom-script

It expects 3 arguments:
1. path to the sbom file that will be updated in place with base images data
2. path to a file containing base images as taken from from the dockerfile (with preserved order)
STONEBLD-2042
3. path to a file containing base images with digests, generated from the output of buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}'.
The dockerfile order must be preserved as well

for more information, please read the README the script README
---
 task/buildah/0.1/buildah.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
index a489c286dd..bc3b5c9e07 100644
--- a/task/buildah/0.1/buildah.yaml
+++ b/task/buildah/0.1/buildah.yaml
@@ -245,6 +245,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
     securityContext:
       capabilities:
         add:
@@ -350,6 +353,17 @@ spec:
     securityContext:
       runAsUser: 0
 
+  - name: create-base-images-sbom
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:68b2bfe67ed6b09d6062d00ac6c3441921733861
+    # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+    # the cluster will set imagePullPolicy to IfNotPresent
+    # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+    script: |
+      python3 /app/base_image_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$(results.BASE_IMAGES_DIGESTS.path)
+    workingDir: $(workspaces.source.path)
+    securityContext:
+      runAsUser: 0 
+
   - name: inject-sbom-and-push
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     computeResources: {}