Merge pull request #862 from mkosiarc/parent-sboms

Add a buildah task step that generates base images sbom
konflux-ci · Apr 4, 2024 · c000d54 · c000d54
2 parents 998d3c1 + a4cd75e
commit c000d54
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -294,6 +294,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
       buildah push "$IMAGE" oci:rhtap-final-image
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
@@ -434,6 +437,17 @@ spec:
     securityContext:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
+  - computeResources: {}
+    env:
+    - name: BASE_IMAGES_DIGESTS_PATH
+      value: $(results.BASE_IMAGES_DIGESTS.path)
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
+    name: create-base-images-sbom
+    script: |
+      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
+    securityContext:
+      runAsUser: 0
+    workingDir: $(workspaces.source.path)
   - computeResources: {}
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: inject-sbom-and-push

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -245,6 +245,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
     securityContext:
       capabilities:
         add:
@@ -350,6 +353,17 @@ spec:
     securityContext:
       runAsUser: 0
 
+  - name: create-base-images-sbom
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
+    env:
+    - name: BASE_IMAGES_DIGESTS_PATH
+      value: $(results.BASE_IMAGES_DIGESTS.path)
+    script: |
+      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
+    workingDir: $(workspaces.source.path)
+    securityContext:
+      runAsUser: 0
+
   - name: inject-sbom-and-push
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     computeResources: {}