From 4cb06b0c7b0c36fad755ed6312a9efaaa116fea3 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Sat, 6 Jul 2024 12:01:19 -0400 Subject: [PATCH 1/2] Expose SBOM results from oci-copy task This is important, because it is how the enterprise contract tooling recognizes that this is an SBOM to be trusted. It won't trust just any SBOM tagged in the registry. It has to be able to find a reference to the SBOM by digest in the provenance record. https://github.com/enterprise-contract/ec-policies/blob/718386d2239dae85a866f6bcd0adbba036cd1b1d/policy/lib/sbom.rego#L26-L34 --- task/oci-copy/0.1/README.md | 1 + task/oci-copy/0.1/oci-copy.yaml | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 704e0a6e5f..2b09c8a67f 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -21,6 +21,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| ## Workspaces |name|description|optional| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index ab21991de3..0511ba4702 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -30,6 +30,8 @@ spec: name: IMAGE_DIGEST - description: Repository where the artifact was pushed name: IMAGE_URL + - description: Link to the SBOM blob pushed to the registry. + name: SBOM_BLOB_URL stepTemplate: env: - name: OCI_COPY_FILE @@ -170,7 +172,15 @@ spec: - cyclonedx - $(params.IMAGE) workingDir: $(workspaces.source.path) - + - name: report-sbom-url + image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430 + script: | + REPO=${IMAGE%:*} + echo "Found that ${REPO} is the repository for ${IMAGE}" + SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }') + echo "Found that ${SBOM_DIGEST} is the SBOM digest" + echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path) + workingDir: $(workspaces.source.path) volumes: - emptyDir: {} name: varlibcontainers From 7ddf5d2ab28a75017cf65b9dc47015e35d994ba9 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Sat, 6 Jul 2024 12:29:35 -0400 Subject: [PATCH 2/2] chore: run hack/generate-ta-tasks.sh --- task/oci-copy-oci-ta/0.1/README.md | 1 + task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 6c7e32c6bd..c8165982bd 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -15,4 +15,5 @@ Given a file in the user's source directory, copy content from arbitrary urls in |---|---| |IMAGE_DIGEST|Digest of the artifact just pushed| |IMAGE_URL|Repository where the artifact was pushed| +|SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index f6b97faf03..ffe7e4f409 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -37,6 +37,8 @@ spec: description: Digest of the artifact just pushed - name: IMAGE_URL description: Repository where the artifact was pushed + - name: SBOM_BLOB_URL + description: Link to the SBOM blob pushed to the registry. volumes: - name: varlibcontainers emptyDir: {} @@ -191,3 +193,12 @@ spec: - cyclonedx - $(params.IMAGE) workingDir: /var/workdir + - name: report-sbom-url + image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430 + workingDir: /var/workdir + script: | + REPO=${IMAGE%:*} + echo "Found that ${REPO} is the repository for ${IMAGE}" + SBOM_DIGEST=$(sha256sum sbom-cyclonedx.json | awk '{ print $1 }') + echo "Found that ${SBOM_DIGEST} is the SBOM digest" + echo -n "${REPO}@sha256:${SBOM_DIGEST}" | tee $(results.SBOM_BLOB_URL.path)