Add image reference to SBOM

[Allda]

The SBOM generated by the buildah task now contains the reference to the image itself. The new script supports both spdx and cyclonedx format.

In order to inject the image reference to the SBOM steps were rearanged to push first and then generate SBOM. The code that stored the sbom into image itself was removed as not used anymore.

JIRA: ISV-5411

Before you complete this pull request ...

Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.

[Allda]

The build task with new changes has been tested as part of this pipelinerun https://github.com/Allda/devfile-sample-python-basic/pull/16/checks?check_run_id=33323099120

[Allda]

@brunoapimentel @rcerven Can you guys please review this PR. Thanks

[tnevrlka]

/ok-to-test

[chmeliik]

Could you split this into two commits?

• Stop injecting SBOM into image
• Add image reference to SBOM

The first change has potential consequences, it shouldn't be "hidden" in a commit that does something else

[Allda]

Could you split this into two commits?

* Stop injecting SBOM into image

* Add image reference to SBOM

The first change has potential consequences, it shouldn't be "hidden" in a commit that does something else

I split the change into 2 commits as suggested.

[chmeliik]

/ok-to-test

[chmeliik]

/retest

[chmeliik]

tkn pr -n konflux-ci logs build-definitions-pull-request-nw6ql

[e2e-tests : e2e-test]   [FAILED] in [It] - /konflux-e2e/tests/build/build_templates.go:602 @ 11/26/24 14:28:35.951
[e2e-tests : e2e-test] • [FAILED] [4.849 seconds]
[e2e-tests : e2e-test] [build-service-suite Build templates E2E test] HACBS pipelines when the container image for component with Git source URL https://github.com/konflux-qe-bd/retrodep is created and pushed to container registry [It] contains non-empty sbom files [build, build-templates, HACBS, pipeline, sbom, slow, build-templates-e2e]
[e2e-tests : e2e-test] /konflux-e2e/tests/build/build_templates.go:600
[e2e-tests : e2e-test] 
[e2e-tests : e2e-test]   [FAILED] Unexpected error:
[e2e-tests : e2e-test]       <*errors.errorString | 0xc00171a0f0>: 
[e2e-tests : e2e-test]       failed to get sbom purl content: sbom file not found in path /tmp/eimage3422397966/root/buildinfo/content_manifests/sbom-purl.json
[e2e-tests : e2e-test]       {
[e2e-tests : e2e-test]           s: "failed to get sbom purl content: sbom file not found in path /tmp/eimage3422397966/root/buildinfo/content_manifests/sbom-purl.json",
[e2e-tests : e2e-test]       }
[e2e-tests : e2e-test]   occurred
[e2e-tests : e2e-test]   In [It] at: /konflux-e2e/tests/build/build_templates.go:602 @ 11/26/24 14:28:35.951

Looks like this will need a corresponding change in https://github.com/konflux-ci/e2e-tests

[Allda]

tkn pr -n konflux-ci logs build-definitions-pull-request-nw6ql

[e2e-tests : e2e-test]   [FAILED] in [It] - /konflux-e2e/tests/build/build_templates.go:602 @ 11/26/24 14:28:35.951
[e2e-tests : e2e-test] • [FAILED] [4.849 seconds]
[e2e-tests : e2e-test] [build-service-suite Build templates E2E test] HACBS pipelines when the container image for component with Git source URL https://github.com/konflux-qe-bd/retrodep is created and pushed to container registry [It] contains non-empty sbom files [build, build-templates, HACBS, pipeline, sbom, slow, build-templates-e2e]
[e2e-tests : e2e-test] /konflux-e2e/tests/build/build_templates.go:600
[e2e-tests : e2e-test] 
[e2e-tests : e2e-test]   [FAILED] Unexpected error:
[e2e-tests : e2e-test]       <*errors.errorString | 0xc00171a0f0>: 
[e2e-tests : e2e-test]       failed to get sbom purl content: sbom file not found in path /tmp/eimage3422397966/root/buildinfo/content_manifests/sbom-purl.json
[e2e-tests : e2e-test]       {
[e2e-tests : e2e-test]           s: "failed to get sbom purl content: sbom file not found in path /tmp/eimage3422397966/root/buildinfo/content_manifests/sbom-purl.json",
[e2e-tests : e2e-test]       }
[e2e-tests : e2e-test]   occurred
[e2e-tests : e2e-test]   In [It] at: /konflux-e2e/tests/build/build_templates.go:602 @ 11/26/24 14:28:35.951

Looks like this will need a corresponding change in https://github.com/konflux-ci/e2e-tests

I am not familiar with the e2e code base and I did just a quick check. Is this the place that needs to be remove?
https://github.com/konflux-ci/e2e-tests/blob/main/tests/build/build_templates.go#L600

[chmeliik]

I am not familiar with the e2e code base and I did just a quick check. Is this the place that needs to be remove? https://github.com/konflux-ci/e2e-tests/blob/main/tests/build/build_templates.go#L600

Me neither 😅 but yes, I think that's the place

[Allda]

I am not familiar with the e2e code base and I did just a quick check. Is this the place that needs to be remove? https://github.com/konflux-ci/e2e-tests/blob/main/tests/build/build_templates.go#L600

Me neither 😅 but yes, I think that's the place

I opened a PR there with the change. Once the CI passes please review konflux-ci/e2e-tests#1465

[chmeliik]

file not found in path /tmp/eimage3422397966/root/buildinfo/content_manifests/sbom-purl.json

This made me realize we can also delete the code that creates sbom-purl.json. I believe that the file isn't used for anything anymore

[Allda]

/retest

[Allda]

/retest

[Allda]

@chmeliik The e2e test is green now. Can you do a last round of review and merge if all looks good? Thanks

[Allda]

@chmeliik I also removed the purl script from the tekton task and here is another PR that removes the script itself konflux-ci/build-tasks-dockerfiles#193

[chmeliik]

LGTM. We can keep the version bump after all, it doesn't really hurt anything. Thanks for adding the "changelog" to the README

[Allda]

LGTM. We can keep the version bump after all, it doesn't really hurt anything. Thanks for adding the "changelog" to the README

So do you want to bump a patch version to 0.2.1?

EDIT: Never mind.. I didn't realize I never reverted it back to 0.2

[Allda]

/retest

[Allda]

/retest

[Allda]

/retest