From d326fecc9c89cd23bfe695f06d09a1364581c3d1 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 10 May 2024 11:50:34 -0400 Subject: [PATCH] Use the referrers API for attaching results This makes them findable with oras discover. Signed-off-by: Ralph Bean --- task/clamav-scan/0.1/clamav-scan.yaml | 16 +++++----------- task/sast-snyk-check/0.1/sast-snyk-check.yaml | 16 ++++------------ 2 files changed, 9 insertions(+), 23 deletions(-) diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml index bde0fd31f9..3558c8b7ce 100644 --- a/task/clamav-scan/0.1/clamav-scan.yaml +++ b/task/clamav-scan/0.1/clamav-scan.yaml @@ -15,8 +15,6 @@ spec: description: Tekton task test output. - name: IMAGES_PROCESSED description: Images processed in the task. - - name: RESULT_URI - description: OCI pullspec where the full clamav output can be found. params: - name: image-digest description: Image digest to scan. @@ -145,7 +143,7 @@ spec: - mountPath: /work name: work - name: upload - image: quay.io/konflux-ci/oras:latest@sha256:55cf304549225435958798c3be0377faf0a3ff89f3fbe03e45c3bb656ecaf02f + image: quay.io/konflux-ci/oras:latest@sha256:04cbd5efbcf1a38944b050e3adbc3071218643f6aa92e95d5d25b173574bca5e env: - name: IMAGE_URL value: $(params.image-url) @@ -155,12 +153,6 @@ spec: script: | #!/usr/bin/env bash - IFS=':' read -ra REPO <<< "$IMAGE_URL" - REPO="${REPO[0]}" - DIGEST=$(echo "${IMAGE_DIGEST}" | tr : -) - SUFFIX=clamav - RESULT_URI="${REPO}:${DIGEST}.${SUFFIX}" - cd logs for UPLOAD_FILE in $(find . -name "clamscan-result*.log"); do @@ -171,8 +163,10 @@ spec: MEDIA_TYPE=application/vnd.konflux.test_output+json args+=("${UPLOAD_FILE}:${MEDIA_TYPE}") done - retry oras push --no-tty --registry-config "$HOME/.docker/config.json" "${RESULT_URI}" "${args[@]}" - echo "${RESULT_URI}" > $(results.RESULT_URI.path) + + select-oci-auth $IMAGE_URL > auth.json + oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-api "${IMAGE_URL}" "${args[@]}" + oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-tag "${IMAGE_URL}" "${args[@]}" volumeMounts: - mountPath: /work name: work diff --git a/task/sast-snyk-check/0.1/sast-snyk-check.yaml b/task/sast-snyk-check/0.1/sast-snyk-check.yaml index 42a445d026..8a4eec7387 100644 --- a/task/sast-snyk-check/0.1/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.1/sast-snyk-check.yaml @@ -13,8 +13,6 @@ spec: results: - description: Tekton task test output. name: TEST_OUTPUT - - description: OCI pullspec where the full SARIF result can be found. - name: RESULT_URI params: - name: SNYK_SECRET description: Name of secret which contains Snyk token. @@ -97,7 +95,7 @@ spec: fi echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) - name: upload - image: quay.io/konflux-ci/oras:latest@sha256:55cf304549225435958798c3be0377faf0a3ff89f3fbe03e45c3bb656ecaf02f + image: quay.io/konflux-ci/oras:latest@sha256:04cbd5efbcf1a38944b050e3adbc3071218643f6aa92e95d5d25b173574bca5e workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) env: - name: IMAGE_URL @@ -113,16 +111,10 @@ spec: fi UPLOAD_FILE=sast_snyk_check_out.json - - SUFFIX=sarif MEDIA_TYPE=application/sarif+json - IFS=':' read -ra REPO <<< "$IMAGE_URL" - REPO="${REPO[0]}" - DIGEST=$(echo "${IMAGE_DIGEST}" | tr : -) - RESULT_URI="${REPO}:${DIGEST}.${SUFFIX}" - - retry oras push --no-tty --registry-config "$HOME/.docker/config.json" "${RESULT_URI}" "${UPLOAD_FILE}:${MEDIA_TYPE}" - echo "${RESULT_URI}" > $(results.RESULT_URI.path) + select-oci-auth $IMAGE_URL > auth.json + oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-api "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-tag "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" workspaces: - name: workspace