rpm-ostree: merge Cachi2 SBOM with Syft SBOM

If the prefetch task has generated an SBOM, merge it with the one generated by Syft. Copy-paste the step from the buildah task, just modify the condition: check the existence of the SBOM file rather than checking the PREFETCH_INPUT param (the rpm-ostree task doesn't have it). Signed-off-by: Adam Cmiel <[email protected]>
konflux-ci · Apr 11, 2024 · d62f2a8 · d62f2a8
1 parent a9297c7
commit d62f2a8
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml
@@ -214,6 +214,20 @@ spec:
     volumeMounts:
       - mountPath: /var/lib/containers
         name: varlibcontainers
+  - name: merge-cachi2-sbom
+    image: quay.io/redhat-appstudio/cachi2:0.6.0@sha256:15d0513ed891b1d34fc46e56fdc9f6b457c90fbfd34f6a8c8fce6d3400ddc4a7
+    script: |
+      cachi2_sbom=./cachi2/output/bom.json
+      if [ -f "$cachi2_sbom" ]; then
+        echo "Merging contents of $cachi2_sbom into sbom-cyclonedx.json"
+        /src/utils/merge_syft_sbom.py "$cachi2_sbom" sbom-cyclonedx.json > sbom-temp.json
+        mv sbom-temp.json sbom-cyclonedx.json
+      else
+        echo "Skipping step since no Cachi2 SBOM was produced"
+      fi
+    workingDir: $(workspaces.source.path)
+    securityContext:
+      runAsUser: 0
   - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent