feat(ISV-5130): output directory path in place of file path

The upload-sbom-to-atlas task expects a directory of SBOMs.

Signed-off-by: Martin Jediny <[email protected]>

tasks/create-product-sbom/README.md

@@ -9,3 +9,5 @@ releaseNotes content.
 |------------------|--------------------------------------------------------------------------|----------|---------------|
 | dataJsonPath     | Path to the JSON string of the merged data containing the release notes  | No       | -             |
 
+## Changes in 1.0.0
+Output directory path instead of a file path.

tasks/create-product-sbom/create-product-sbom.yaml

@@ -4,7 +4,7 @@ kind: Task
 metadata:
   name: create-product-sbom
   labels:
-    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/version: "0.2.0"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -20,19 +20,35 @@ spec:
       description: Workspace to save the product-level SBOM to.
   results:
     - name: productSBOMPath
-      description: Relative path to the created product-level SBOM in the data workspace.
+      description: >-
+        Relative path to the directory containing the created product-level SBOM
+        in the data workspace.
   steps:
     - name: create-sbom
       image: quay.io/konflux-ci/release-service-utils:c7e14c3521e37e99f407e11d6f7f1b15f1b3ec01
       script: |
         #!/usr/bin/env bash
         set -eux
 
-        SBOM_FILE="product_sbom.json"
-        SBOM_PATH="$(dirname "$(params.dataJsonPath)")/${SBOM_FILE}"
-        OUTPUT_PATH=$(workspaces.data.path)/${SBOM_PATH}
-
+        tmp_sbom="$(mktemp)"
         create_product_sbom --data-path "$(workspaces.data.path)/$(params.dataJsonPath)" \
-          --output-path "$OUTPUT_PATH"
+          --output-path "$tmp_sbom"
+
+        product_name="$(jq -r '.packages[0].name' "$tmp_sbom")"
+        product_version="$(jq -r '.packages[0].versionInfo' "$tmp_sbom")"
+
+        # Replace whitespace with dashes
+        normalized_name="$(echo -n "${product_name}" | tr '[:space:]' '-')"
+
+        sbom_dir="product-sboms"
+        # the combination of name + version is later used as an ID in Atlas
+        sbom_path="${sbom_dir}/${normalized_name}-${product_version}.json"
+
+        # takes into account the subdirectory of the data.json if any
+        subdir_sbom_path="$(dirname "$(params.dataJsonPath)")/${sbom_path}"
+
+        output_path=$(workspaces.data.path)/${subdir_sbom_path}
+        mkdir -p "$(dirname "$output_path")"
+        cp "$tmp_sbom" "$output_path"
 
-        echo -n "$SBOM_PATH" > "$(results.productSBOMPath.path)"
+        echo -n "$(dirname "$subdir_sbom_path")" > "$(results.productSBOMPath.path)"

tasks/create-product-sbom/tests/test-create-product-sbom-basic.yaml

@@ -58,11 +58,11 @@ spec:
         - name: data
           workspace: tests-workspace
       params:
-        - name: sbom
+        - name: sbomDir
           value: $(tasks.run-task.results.productSBOMPath)
       taskSpec:
         params:
-          - name: sbom
+          - name: sbomDir
         workspaces:
           - name: data
         steps:
@@ -72,7 +72,7 @@ spec:
               #!/usr/bin/env sh
               set -eux
 
-              cp "$(workspaces.data.path)/$(params.sbom)" sbom.json
+              cp "$(workspaces.data.path)/$(params.sbomDir)/Red-Hat-Openstack-Product-123.json" sbom.json
 
               test "$(jq -r '.name' sbom.json)" == "Red Hat Openstack Product"
 

tasks/create-product-sbom/tests/test-create-product-sbom-multiple-purls.yaml

@@ -62,11 +62,11 @@ spec:
         - name: data
           workspace: tests-workspace
       params:
-        - name: sbom
+        - name: sbomDir
           value: $(tasks.run-task.results.productSBOMPath)
       taskSpec:
         params:
-          - name: sbom
+          - name: sbomDir
         workspaces:
           - name: data
         steps:
@@ -76,7 +76,7 @@ spec:
               #!/usr/bin/env sh
               set -eux
 
-              cp "$(workspaces.data.path)/$(params.sbom)" sbom.json
+              cp "$(workspaces.data.path)/$(params.sbomDir)/Red-Hat-Openstack-Product-123.json" sbom.json
 
               test "$(jq -r '.name' sbom.json)" == "Red Hat Openstack Product"