Skip to content

Commit

Permalink
deprecated-image-check: support SPDX SBOMs
Browse files Browse the repository at this point in the history 
Support extracting the base/builder images from both CycloneDX SBOMs
and SPDX SBOMs.

In an SPDX SBOM, the base/builder images are identified via JSON-encoded
annotations. Example:

        {
            "SPDXID": "SPDXRef-image-...
            "name": "registry.access.redhat.com/ubi9/ubi-micro",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:oci/ubi-micro@sha256:...?repository_url=..."
                }
            ],
            "annotations": [
                {
                    "annotator": "Tool: konflux:jsonencoded",
                    "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}",
                    "annotationDate": "2025-01-13T12:15:31Z",
                    "annotationType": "OTHER"
                }
            ]
        }

Signed-off-by: Adam Cmiel <[email protected]>
  • Loading branch information
@chmeliik
chmeliik committed Jan 21, 2025
1 parent 20fecff commit c2003d9
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion task/deprecated-image-check/0.4/deprecated-image-check.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,18 @@ spec:
continue
fi
cat ${SBOM_FILE_PATH} | jq -r '.formulation? // empty | .[] | .components? // empty | .[] | select(any((.properties // empty)[]; .name | test("^konflux:container:is_(base|builder)_image"))) | .name' >> ${IMAGES_TO_BE_PROCESSED_PATH}
< "${SBOM_FILE_PATH}" jq -r '
if .bomFormat == "CycloneDX" then
.formulation[]?
| .components[]?
| select(any(.properties[]?; .name | test("^konflux:container:is_(base|builder)_image")))
| .name
else
.packages[]
| select(any(.annotations[]?.comment; (fromjson?).name? | test("^konflux:container:is_(base|builder)_image")?))
| .name
end
' >> "${IMAGES_TO_BE_PROCESSED_PATH}"
echo "Detected base images from $arch SBOM:"
cat "${IMAGES_TO_BE_PROCESSED_PATH}"
echo ""
Expand Down

0 comments on commit c2003d9

Please sign in to comment.