From fff9642f9b610e9d0b9f32f0fd844619f460e4e8 Mon Sep 17 00:00:00 2001
From: mkosiarc <mkosiarc@redhat.com>
Date: Wed, 6 Mar 2024 09:28:39 +0100
Subject: [PATCH] Add a buildah task step that generates base images sbom

This steps uses a python script for creating the sbom
https://github.com/redhat-appstudio/build-tasks-dockerfiles/tree/main/base-images-sbom-script

It expects 3 arguments:
1. path to the sbom file that will be updated in place with base images data
2. path to a file containing base images as taken from from the dockerfile (with preserved order)
3. path to a file containing base images with digests, generated from the output of buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}'.
The dockerfile order must be preserved as well

For more information, please read the script README

STONEBLD-2042
---
 task/buildah-remote/0.1/buildah-remote.yaml | 14 ++++++++++++++
 task/buildah/0.1/buildah.yaml               | 14 ++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
index 6819b25c1e..fa8587d8a4 100644
--- a/task/buildah-remote/0.1/buildah-remote.yaml
+++ b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -294,6 +294,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
       buildah push "$IMAGE" oci:rhtap-final-image
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
@@ -434,6 +437,17 @@ spec:
     securityContext:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
+  - computeResources: {}
+    env:
+    - name: BASE_IMAGES_DIGESTS_PATH
+      value: $(results.BASE_IMAGES_DIGESTS.path)
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
+    name: create-base-images-sbom
+    script: |
+      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
+    securityContext:
+      runAsUser: 0
+    workingDir: $(workspaces.source.path)
   - computeResources: {}
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: inject-sbom-and-push
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
index a489c286dd..b262faf67b 100644
--- a/task/buildah/0.1/buildah.yaml
+++ b/task/buildah/0.1/buildah.yaml
@@ -245,6 +245,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
     securityContext:
       capabilities:
         add:
@@ -350,6 +353,17 @@ spec:
     securityContext:
       runAsUser: 0
 
+  - name: create-base-images-sbom
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
+    env:
+    - name: BASE_IMAGES_DIGESTS_PATH
+      value: $(results.BASE_IMAGES_DIGESTS.path)
+    script: |
+      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
+    workingDir: $(workspaces.source.path)
+    securityContext:
+      runAsUser: 0
+
   - name: inject-sbom-and-push
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     computeResources: {}