Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create the SBOM_BLOB_URL for v0.2 buildah tasks #1192

Merged
merged 1 commit into from
Jul 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pipelines/docker-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
### clair-scan:0.1 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
### clair-scan:0.1 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
Expand Down
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,6 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|IMAGE_REF|Image reference of the built image|
|IMAGE_URL|Image repository where the built image was pushed|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|

12 changes: 12 additions & 0 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,10 @@ spec:
- name: JAVA_COMMUNITY_DEPENDENCIES
description: The Java dependencies that came from community sources
such as Maven central.
- name: SBOM_BLOB_URL
description: Reference of SBOM blob digest to enable digest-based verification
from provenance
type: string
- name: SBOM_JAVA_COMPONENTS_COUNT
description: The counting of Java components by publisher in JSON format
type: string
Expand Down Expand Up @@ -529,6 +533,8 @@ spec:
- mountPath: /var/lib/containers
name: varlibcontainers
script: |
#!/bin/bash
set -e
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -565,6 +571,12 @@ spec:
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"

# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
# The SBOM_BLOB_URL is created by `cosign attach sbom`.
echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
securityContext:
capabilities:
add:
Expand Down
47 changes: 47 additions & 0 deletions task/buildah-remote-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# buildah-remote-oci-ta task

Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false|
|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false|
|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false|
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
|HERMETIC|Determines if build will be executed without network access.|false|false|
|IMAGE|Reference of the image buildah will produce.||true|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false|
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false|
|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false|
|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|PLATFORM|The platform to build on||true|

## Results
|name|description|
|---|---|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_REF|Image reference of the built image|
|IMAGE_URL|Image repository where the built image was pushed|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|

12 changes: 12 additions & 0 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,10 @@ spec:
- description: The Java dependencies that came from community sources such as Maven
central.
name: JAVA_COMMUNITY_DEPENDENCIES
- description: Reference of SBOM blob digest to enable digest-based verification
from provenance
name: SBOM_BLOB_URL
type: string
- description: The counting of Java components by publisher in JSON format
name: SBOM_JAVA_COMPONENTS_COUNT
type: string
Expand Down Expand Up @@ -600,6 +604,8 @@ spec:
image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050
name: inject-sbom-and-push
script: |
#!/bin/bash
set -e
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -636,6 +642,12 @@ spec:
echo -n "${IMAGE}@"
cat "/var/workdir/image-digest"
} >"$(results.IMAGE_REF.path)"

# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
# The SBOM_BLOB_URL is created by `cosign attach sbom`.
echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
securityContext:
capabilities:
add:
Expand Down
1 change: 1 addition & 0 deletions task/buildah-remote/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|

Expand Down
12 changes: 12 additions & 0 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,10 @@ spec:
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- description: Reference of SBOM blob digest to enable digest-based verification
from provenance
name: SBOM_BLOB_URL
type: string
- description: The counting of Java components by publisher in JSON format
name: SBOM_JAVA_COMPONENTS_COUNT
type: string
Expand Down Expand Up @@ -582,6 +586,8 @@ spec:
image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050
name: inject-sbom-and-push
script: |
#!/bin/bash
set -e
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -618,6 +624,12 @@ spec:
echo -n "${IMAGE}@"
cat "$(workspaces.source.path)/image-digest"
} > "$(results.IMAGE_REF.path)"

# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
# The SBOM_BLOB_URL is created by `cosign attach sbom`.
echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
securityContext:
capabilities:
add:
Expand Down
1 change: 1 addition & 0 deletions task/buildah/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|IMAGE_REF|Image reference of the built image|
|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|

Expand Down
10 changes: 10 additions & 0 deletions task/buildah/0.2/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ spec:
name: IMAGE_URL
- description: Image reference of the built image
name: IMAGE_REF
- name: SBOM_BLOB_URL
description: Reference of SBOM blob digest to enable digest-based verification from provenance
type: string
- name: SBOM_JAVA_COMPONENTS_COUNT
description: The counting of Java components by publisher in JSON format
type: string
Expand Down Expand Up @@ -479,6 +482,8 @@ spec:
image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050
computeResources: {}
script: |
#!/bin/bash
set -e
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -516,6 +521,11 @@ spec:
cat "$(workspaces.source.path)/image-digest"
} > "$(results.IMAGE_REF.path)"

# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
# The SBOM_BLOB_URL is created by `cosign attach sbom`.
echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
securityContext:
runAsUser: 0
capabilities:
Expand Down
Loading