From 9e203a32ce7b2371c1afc271f7f0a1d32b77bda5 Mon Sep 17 00:00:00 2001
From: mkosiarc <mkosiarc@redhat.com>
Date: Wed, 6 Mar 2024 09:28:39 +0100
Subject: [PATCH] Add a buildah task step that generates base images sbom

This steps uses a python script for creating the sbom
https://github.com/redhat-appstudio/build-tasks-dockerfiles/tree/main/base-images-sbom-script

It expects 3 arguments:
1. path to the sbom file that will be updated in place with base images data
2. path to a file containing base images as taken from from the dockerfile (with preserved order)
3. path to a file containing base images with digests, generated from the output of buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}'.
The dockerfile order must be preserved as well

For more information, please read the script README

STONEBLD-2042
---
 task/buildah-remote/0.1/buildah-remote.yaml | 11 +++++++++++
 task/buildah/0.1/buildah.yaml               | 14 ++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
index 6819b25c1e..2688542383 100644
--- a/task/buildah-remote/0.1/buildah-remote.yaml
+++ b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -294,6 +294,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
       buildah push "$IMAGE" oci:rhtap-final-image
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
@@ -434,6 +437,14 @@ spec:
     securityContext:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
+  - computeResources: {}
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:68b2bfe67ed6b09d6062d00ac6c3441921733861
+    name: create-base-images-sbom
+    script: |
+      python3 /app/base_image_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$(results.BASE_IMAGES_DIGESTS.path)
+    securityContext:
+      runAsUser: 0
+    workingDir: $(workspaces.source.path)
   - computeResources: {}
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: inject-sbom-and-push
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
index a489c286dd..03e7aed7d8 100644
--- a/task/buildah/0.1/buildah.yaml
+++ b/task/buildah/0.1/buildah.yaml
@@ -245,6 +245,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      # echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
     securityContext:
       capabilities:
         add:
@@ -350,6 +353,17 @@ spec:
     securityContext:
       runAsUser: 0
 
+  # - name: create-base-images-sbom
+  #   image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:68b2bfe67ed6b09d6062d00ac6c3441921733861
+  #   # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+  #   # the cluster will set imagePullPolicy to IfNotPresent
+  #   # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+  #   script: |
+  #     python3 /app/base_image_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$(results.BASE_IMAGES_DIGESTS.path)
+  #   workingDir: $(workspaces.source.path)
+  #   securityContext:
+  #     runAsUser: 0
+
   - name: inject-sbom-and-push
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     computeResources: {}