feat: introduce content manifest with content sets

For backwards compatibility with image scanners that still expect https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json
konflux-ci · Dec 19, 2024 · a5c7377 · a5c7377
1 parent a72f293
commit a5c7377
Showing 1 changed file with 34 additions and 4 deletions.
diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
@@ -450,16 +450,46 @@ spec:
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
       container=$(buildah from --pull-never "$IMAGE")
-      buildah mount $container | tee /shared/container_path
-      # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
-      find $(cat /shared/container_path) -xtype l -delete
-      echo $container > /shared/container_name
 
       # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
       if [ -f "/tmp/cachi2/output/bom.json" ]; then
         cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
+
+        # Inject a content sets file for backwards compatibility
+        # This is only possible for images built hermetically with prefetch
+        base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
+        base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
+        read -r -d '' CONTENT_SETS_JSON <<EOL
+        {
+            "metadata": {
+                "icm_version": 1,
+                "icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
+                "image_layer_index": 0
+            },
+            "content_sets": []
+        }
+        EOL
+        for content_set in $(jq -r '.components[].purl' | grep -o -P '(?<=repository_id=).*(?=(&|$))' sbom-cachi2.json | sort -u); do
+          CONTENT_SETS_JSON=$(jq --arg content_set "$content_set" '.content_sets += [$content_set]' <<< "$CONTENT_SETS_JSON")
+        done
+        echo $CONTENT_SETS_JSON > content-sets.json
+        buildah copy $container content-sets.json /root/buildinfo/content_manifests/
+        buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
+
+        BUILDAH_ARGS=()
+        if [ "${SQUASH}" == "true" ]; then
+          BUILDAH_ARGS+=("--squash")
+        fi
+
+        buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE
+        # End content sets backwards compatibility
       fi
 
+      buildah mount $container | tee /shared/container_path
+      # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
+      find $(cat /shared/container_path) -xtype l -delete
+      echo $container > /shared/container_name
+
       touch /shared/base_images_digests
       for image in $BASE_IMAGES; do
         base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")