Skip to content

Commit

Permalink
feat: introduce content manifest with content sets
Browse files Browse the repository at this point in the history
  • Loading branch information
ralphbean committed Dec 19, 2024
1 parent a72f293 commit cff492d
Show file tree
Hide file tree
Showing 2 changed files with 79 additions and 8 deletions.
43 changes: 39 additions & 4 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -518,16 +518,51 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
# Inject a content sets file for backwards compatibility
# This is only possible for images built hermetically with prefetch
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
cat >content-sets.json <<EOF
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 0
},
"content_sets": []
}
EOF
while IFS='' read -r content_set; do
jq --arg content_set "$content_set" '.content_sets += [$content_set]' content-sets.json >content-sets.json.tmp
mv content-sets.json.tmp content-sets.json
done <<<"$(jq -r '.components[].purl' | grep -o -P '(?<=repository_id=).*(?=(&|$))' sbom-cachi2.json | sort -u)"
echo "Writing to /root/buildinfo/content_manifests/content-sets.json"
buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/
buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container"
BUILDAH_ARGS=()
if [ "${SQUASH}" == "true" ]; then
BUILDAH_ARGS+=("--squash")
fi
buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
# End content sets backwards compatibility
fi
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container >/shared/container_name
touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down
44 changes: 40 additions & 4 deletions task/buildah/0.2/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -450,16 +450,52 @@ spec:
unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container > /shared/container_name
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/tmp/cachi2/output/bom.json" ]; then
echo "Making copy of sbom-cachi2.json"
cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
# Inject a content sets file for backwards compatibility
# This is only possible for images built hermetically with prefetch
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
cat >content-sets.json <<EOF
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 0
},
"content_sets": []
}
EOF
while IFS='' read -r content_set;
do
jq --arg content_set "$content_set" '.content_sets += [$content_set]' content-sets.json > content-sets.json.tmp
mv content-sets.json.tmp content-sets.json
done <<< "$(jq -r '.components[].purl' | grep -o -P '(?<=repository_id=).*(?=(&|$))' sbom-cachi2.json | sort -u)"
echo "Writing to /root/buildinfo/content_manifests/content-sets.json"
buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/
buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container"
BUILDAH_ARGS=()
if [ "${SQUASH}" == "true" ]; then
BUILDAH_ARGS+=("--squash")
fi
buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE"
# End content sets backwards compatibility
fi
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
echo $container > /shared/container_name
touch /shared/base_images_digests
for image in $BASE_IMAGES; do
base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
Expand Down

0 comments on commit cff492d

Please sign in to comment.