From f8f599df84ff5957c019bdf9151e25a0093255a1 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jul 2024 15:08:27 -0400 Subject: [PATCH] Create the SBOM_BLOB_URL for v0.2 buildah tasks Now that the BASE_IMAGE_DIGESTS result has been removed, there should now be enough room for us to re-add the SBOM_BLOB_URL. This will enable EC verification of the SBOM based on the digest which is recorded in the provenenance. It will prevent supply-chain attacks which are driven by modifying the floating tag of the uploaded SBOM. Even with the referrer's API, the digest can be used to identify which SBOM should be the one built from Konflux. This was added in #645 and then removed in #654 due to the limitation of Tekton results' size. Signed-off-by: arewm --- task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 9 ++++ task/buildah-remote-oci-ta/0.2/README.md | 47 +++++++++++++++++++ .../0.2/buildah-remote-oci-ta.yaml | 10 ++++ task/buildah-remote/0.2/README.md | 1 + task/buildah-remote/0.2/buildah-remote.yaml | 10 ++++ task/buildah/0.2/README.md | 1 + task/buildah/0.2/buildah.yaml | 8 ++++ 8 files changed, 87 insertions(+) create mode 100644 task/buildah-remote-oci-ta/0.2/README.md diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index bfa06e6cee..a61f052c10 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -42,4 +42,5 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_URL|Image repository where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| +|SBOM_BLOB_URL|Reference of SBOM digest to enable digest-based verification from provenance| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index fca1d4aea7..a9522bafdf 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -139,6 +139,9 @@ spec: - name: SBOM_JAVA_COMPONENTS_COUNT description: The counting of Java components by publisher in JSON format type: string + - name: SBOM_BLOB_URL + description: Reference of SBOM digest to enable digest-based verification from provenance + type: string volumes: - name: activation-key secret: @@ -565,6 +568,12 @@ spec: echo -n "${IMAGE}@" cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee $(results.SBOM_BLOB_URL.path) securityContext: capabilities: add: diff --git a/task/buildah-remote-oci-ta/0.2/README.md b/task/buildah-remote-oci-ta/0.2/README.md new file mode 100644 index 0000000000..59cbca84a5 --- /dev/null +++ b/task/buildah-remote-oci-ta/0.2/README.md @@ -0,0 +1,47 @@ +# buildah-remote-oci-ta task + +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|PLATFORM|The platform to build on||true| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| +|IMAGE_URL|Image repository where the built image was pushed| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| +|SBOM_BLOB_URL|Reference of SBOM digest to enable digest-based verification from provenance| + diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index ec1f9c77a4..47cb60588b 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -140,6 +140,10 @@ spec: - description: The counting of Java components by publisher in JSON format name: SBOM_JAVA_COMPONENTS_COUNT type: string + - description: Reference of SBOM digest to enable digest-based verification from + provenance + name: SBOM_BLOB_URL + type: string stepTemplate: computeResources: {} env: @@ -636,6 +640,12 @@ spec: echo -n "${IMAGE}@" cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee $(results.SBOM_BLOB_URL.path) securityContext: capabilities: add: diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md index 71b2baa59b..184bf1cc51 100644 --- a/task/buildah-remote/0.2/README.md +++ b/task/buildah-remote/0.2/README.md @@ -41,6 +41,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_REF|Image reference of the built image| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +|SBOM_BLOB_URL|Reference of SBOM digest to enable digest-based verification from provenance| ## Workspaces |name|description|optional| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index ba4f09725e..6185b32f44 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -131,6 +131,10 @@ spec: - description: The Java dependencies that came from community sources such as Maven central. name: JAVA_COMMUNITY_DEPENDENCIES + - description: Reference of SBOM digest to enable digest-based verification from + provenance + name: SBOM_BLOB_URL + type: string stepTemplate: computeResources: {} env: @@ -618,6 +622,12 @@ spec: echo -n "${IMAGE}@" cat "$(workspaces.source.path)/image-digest" } > "$(results.IMAGE_REF.path)" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee $(results.SBOM_BLOB_URL.path) securityContext: capabilities: add: diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index 5dabbe3e4f..3287f7782d 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -40,6 +40,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_REF|Image reference of the built image| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +|SBOM_BLOB_URL|Reference of SBOM digest to enable digest-based verification from provenance| ## Workspaces |name|description|optional| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index e647b36489..0fcba9a64f 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -116,6 +116,9 @@ spec: type: string - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. + - name: SBOM_BLOB_URL + description: Reference of SBOM digest to enable digest-based verification from provenance + type: string stepTemplate: volumeMounts: - mountPath: /shared @@ -516,6 +519,11 @@ spec: cat "$(workspaces.source.path)/image-digest" } > "$(results.IMAGE_REF.path)" + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee $(results.SBOM_BLOB_URL.path) securityContext: runAsUser: 0 capabilities: