Add a buildah task step that generates base images sbom

This steps uses a python script for creating the sbom https://github.com/redhat-appstudio/build-tasks-dockerfiles/tree/main/base-images-sbom-script It expects 3 arguments: 1. path to the sbom file that will be updated in place with base images data 2. path to a file containing base images as taken from from the dockerfile (with preserved order) 3. path to a file containing base images with digests, generated from the output of buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}'. The dockerfile order must be preserved as well For more information, please read the script README STONEBLD-2042
konflux-ci · Mar 15, 2024 · d97c156 · d97c156
1 parent 3e548a3
commit d97c156
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -294,6 +294,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
       buildah push "$IMAGE" oci:rhtap-final-image
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
@@ -434,6 +437,14 @@ spec:
     securityContext:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
+  - computeResources: {}
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:68b2bfe67ed6b09d6062d00ac6c3441921733861
+    name: create-base-images-sbom
+    script: |
+      python3 /app/base_image_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$(results.BASE_IMAGES_DIGESTS.path)
+    securityContext:
+      runAsUser: 0
+    workingDir: $(workspaces.source.path)
   - computeResources: {}
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: inject-sbom-and-push

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -245,6 +245,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
     securityContext:
       capabilities:
         add:
@@ -350,6 +353,17 @@ spec:
     securityContext:
       runAsUser: 0
 
+  - name: create-base-images-sbom
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:68b2bfe67ed6b09d6062d00ac6c3441921733861
+    # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+    # the cluster will set imagePullPolicy to IfNotPresent
+    # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+    script: |
+      python3 /app/base_image_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$(results.BASE_IMAGES_DIGESTS.path)
+    workingDir: $(workspaces.source.path)
+    securityContext:
+      runAsUser: 0
+
   - name: inject-sbom-and-push
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     computeResources: {}