Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optionally skip SBOM generation #1507

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pipelines/docker-build-multi-platform-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PLATFORM| The platform to build on| None| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |
Expand Down
1 change: 1 addition & 0 deletions pipelines/fbc-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PLATFORM| The platform to build on| None| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
Expand Down
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|LABELS|Additional key=value labels that should be applied to the image|[]|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
Expand Down
17 changes: 17 additions & 0 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,11 @@ spec:
be made available to the build.
type: string
default: ""
- name: SKIP_SBOM_GENERATION
description: Skip SBOM-related operations. This will likely cause EC
policies to fail if enabled
type: string
default: "false"
- name: SKIP_UNUSED_STAGES
description: Whether to skip stages in Containerfile that seem unused
by subsequent stages
Expand Down Expand Up @@ -618,6 +623,10 @@ spec:
- mountPath: /shared
name: shared
script: |
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi
echo "Running syft on the source directory"
syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
echo "Running syft on the image filesystem"
Expand Down Expand Up @@ -656,6 +665,10 @@ spec:
image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:9f1fd11d9c3c517ecc112d192ad361d16ecf6ce00b83b109c93cf3d1c644a357
workingDir: /var/workdir
script: |
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi
echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
python3 /scripts/merge_syft_sboms.py

Expand Down Expand Up @@ -700,6 +713,10 @@ spec:
readOnly: true
script: |
#!/bin/bash
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi

ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
Expand Down
3 changes: 3 additions & 0 deletions task/buildah-remote-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|HERMETIC|Determines if build will be executed without network access.|false|false|
|IMAGE|Reference of the image buildah will produce.||true|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|LABELS|Additional key=value labels that should be applied to the image|[]|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
Expand All @@ -34,6 +36,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|PLATFORM|The platform to build on||true|
|IMAGE_APPEND_PLATFORM|Whether to append a sanitized platform architecture on the IMAGE tag|false|false|

## Results
|name|description|
Expand Down
17 changes: 17 additions & 0 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@ spec:
to the build.
name: PREFETCH_INPUT
type: string
- default: "false"
description: Skip SBOM-related operations. This will likely cause EC policies
to fail if enabled
name: SKIP_SBOM_GENERATION
type: string
- default: "true"
description: Whether to skip stages in Containerfile that seem unused by subsequent
stages
Expand Down Expand Up @@ -725,6 +730,10 @@ spec:
IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
export IMAGE
fi
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi
echo "Running syft on the source directory"
syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
echo "Running syft on the image filesystem"
Expand Down Expand Up @@ -780,6 +789,10 @@ spec:
IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
export IMAGE
fi
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi
echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
python3 /scripts/merge_syft_sboms.py

Expand Down Expand Up @@ -820,6 +833,10 @@ spec:
name: upload-sbom
script: |
#!/bin/bash
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi

ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
Expand Down
3 changes: 3 additions & 0 deletions task/buildah-remote/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,10 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|LABELS|Additional key=value labels that should be applied to the image|[]|false|
|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false|
|PLATFORM|The platform to build on||true|
|IMAGE_APPEND_PLATFORM|Whether to append a sanitized platform architecture on the IMAGE tag|false|false|

## Results
|name|description|
Expand Down
17 changes: 17 additions & 0 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@ spec:
description: Additional key=value labels that should be applied to the image
name: LABELS
type: array
- default: "false"
description: Skip SBOM-related operations. This will likely cause EC policies
to fail if enabled
name: SKIP_SBOM_GENERATION
type: string
- description: The platform to build on
name: PLATFORM
type: string
Expand Down Expand Up @@ -704,6 +709,10 @@ spec:
IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
export IMAGE
fi
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi
echo "Running syft on the source directory"
syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
echo "Running syft on the image filesystem"
Expand Down Expand Up @@ -759,6 +768,10 @@ spec:
IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}"
export IMAGE
fi
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi
echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
python3 /scripts/merge_syft_sboms.py

Expand Down Expand Up @@ -799,6 +812,10 @@ spec:
name: upload-sbom
script: |
#!/bin/bash
if [ "${SKIP_SBOM_GENERATION}" = "true" ]; then
echo "Skipping SBOM generation"
exit 0
fi

ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
Expand Down
Loading
Loading