Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(STONEINTG-887): get base images from SBOM #954

Merged
merged 2 commits into from
Apr 29, 2024
Merged

feat(STONEINTG-887): get base images from SBOM #954

merged 2 commits into from
Apr 29, 2024

Conversation

MartinBasti
Copy link
Contributor

@MartinBasti MartinBasti commented Apr 19, 2024
edited
Loading

Task deprecated-image-check will fetch data about base images also from SBOM.

This requires incompatible change, because users must update PLR definition with new parameters.

In future, konflux will stop provide BASE_IMAGES_DIGESTS via parameter, thus this param is optional now (we cannot remove it yet)

Before you complete this pull request ...

Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.

@MartinBasti
Copy link
Contributor Author

Example

STEP-CHECK-IMAGES

Fething SBOM for image quay.io/mbasti-test-org/single-nodejs-app:d1e1c90@sha256:1492539a932605755ed1bec583d5db4896828c37fdd0c61ca096485de8d9e27c
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: application/vnd.cyclonedx+json
Detected base images from SBOM:

Base images pased by param BASE_IMAGES_DIGESTS: registry.access.redhat.com/ubi9/nodejs-16:<none>@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1

Images to be checked:
registry.access.redhat.com/ubi9/nodejs-16

Querying Red Hat Catalog for registry.access.redhat.com/ubi9/nodejs-16.
Running conftest using /project/repository/ policy, required_checks namespace.
[
	{
		"filename": "/tmp/ubi9/nodejs-16/repository_data.json",
		"namespace": "required_checks",
		"successes": 1
	}
]
[SUCCESS] Image registry.access.redhat.com/ubi9/nodejs-16 is valid
{"result":"SUCCESS","timestamp":"1713542822","note":"Task deprecated-image-check completed: Check result for task result.","namespace":"required_checks","successes":1,"failures":0,"warnings":0}

@MartinBasti
Copy link
Contributor Author

Example when base images are available in SBOM:

STEP-CHECK-IMAGES

Fething SBOM for image quay.io/mbasti-test-org/single-container-app:f2566ab@sha256:e3605c5646ae1f6524b750b12a6c29fab309d9862491b1cee51f3a28202a5b63
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: application/vnd.cyclonedx+json
Detected base images from SBOM:
docker.io/library/node

Base images pased by param BASE_IMAGES_DIGESTS: docker.io/library/node:latest@sha256:162d92c5f1467ad877bf6d8a098d9b04d7303879017a2f3644bfb1de1fc88ff0

Images to be checked:
docker.io/library/node

Querying Red Hat Catalog for docker.io/library/node.
[WARNING] Registry/image docker.io/library/node not found in Red Hat Catalog. Task cannot provide results if image is deprecated.
{"result":"WARNING","timestamp":"1713542891","note":"Task deprecated-image-check completed: Check result for task result.","namespace":"required_checks","successes":0,"failures":0,"warnings":1}

@MartinBasti MartinBasti force-pushed the deprecated-image-check-sbom branch 2 times, most recently from 4c6c7cc to bc19113 Compare April 19, 2024 16:29
@MartinBasti
Copy link
Contributor Author

/retest

@MartinBasti MartinBasti force-pushed the deprecated-image-check-sbom branch 2 times, most recently from b3a1cbd to ed40d5d Compare April 22, 2024 16:30
@MartinBasti
Copy link
Contributor Author

/retest

jsztuka
jsztuka approved these changes Apr 25, 2024
View reviewed changes
Copy link
Contributor

@jsztuka jsztuka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@MartinBasti MartinBasti marked this pull request as draft April 25, 2024 08:38
@MartinBasti MartinBasti force-pushed the deprecated-image-check-sbom branch from ed40d5d to 4ed8228 Compare April 25, 2024 17:06
@MartinBasti MartinBasti force-pushed the deprecated-image-check-sbom branch from f8e6859 to da81558 Compare April 25, 2024 17:15
@MartinBasti MartinBasti marked this pull request as ready for review April 25, 2024 17:15
@MartinBasti
Copy link
Contributor Author

Reverted to original code using cosign, we couldn't access workspace in parallel due to EBS storage.

Also removed unused result, to reuse version bump

dirgim
dirgim approved these changes Apr 26, 2024
View reviewed changes
Copy link
Contributor

@dirgim dirgim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

hongweiliu17
hongweiliu17 approved these changes Apr 28, 2024
View reviewed changes
Copy link
Contributor

@hongweiliu17 hongweiliu17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two minor comment. Others look good to me.

@MartinBasti MartinBasti force-pushed the deprecated-image-check-sbom branch from 3980e4a to 8c671c3 Compare April 29, 2024 07:14
@MartinBasti
feat(STONEINTG-887): get base images from SBOM
065fd1d 
Task `deprecated-image-check` will fetch data about base images also from
SBOM.

This requires an incompatible change, because users must update PLR
definition with the new parameters.

In future, konflux will stop provide BASE_IMAGES_DIGESTS via parameter,
thus this param is optional now (we cannot remove it yet)

Signed-off-by: Martin Basti <[email protected]>
@MartinBasti
fix(deprecated-image-check): remove unused result
9636c0c 
PYXIS_HTTP_CODE result is unused for long time

Signed-off-by: Martin Basti <[email protected]>
@MartinBasti MartinBasti force-pushed the deprecated-image-check-sbom branch from 8c671c3 to 9636c0c Compare April 29, 2024 07:14
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@MartinBasti MartinBasti enabled auto-merge April 29, 2024 07:15
@MartinBasti MartinBasti added this pull request to the merge queue Apr 29, 2024
Merged via the queue into konflux-ci:main with commit 6b5e66e Apr 29, 2024
6 checks passed
@rh-tap-build-team rh-tap-build-team bot mentioned this pull request Apr 29, 2024
Merged
@MartinBasti MartinBasti deleted the deprecated-image-check-sbom branch April 29, 2024 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hongweiliu17 hongweiliu17 hongweiliu17 approved these changes

@dirgim dirgim dirgim approved these changes

@14rcole 14rcole Awaiting requested review from 14rcole

@Josh-Everett Josh-Everett Awaiting requested review from Josh-Everett

@kasemAlem kasemAlem Awaiting requested review from kasemAlem

@jsztuka jsztuka Awaiting requested review from jsztuka

@chmeliik chmeliik Awaiting requested review from chmeliik

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MartinBasti @dirgim @hongweiliu17 @chmeliik @jsztuka