Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

source-build, deprecated-image-check: support reading base images from SPDX SBOMs #1824

Merged
merged 2 commits into from
Jan 21, 2025
Merged

source-build, deprecated-image-check: support reading base images from SPDX SBOMs #1824

merged 2 commits into from
Jan 21, 2025

Conversation

chmeliik
Copy link
Contributor

Support extracting the base/builder images from both CycloneDX SBOMs
and SPDX SBOMs.

Tested in redhat-appstudio/rh-syft#105

source-build:

Found SBOM of media type: text/spdx+json
Looking for base image in SBOM (a package with a {"name": "konflux:container:is_base_image"} JSON-encoded annotation)
registry.access.redhat.com/ubi9/ubi-micro@sha256:7f376b75faf8ea546f28f8529c37d24adcde33dca4103f4897ae19a43d58192b

deprecated-image-check:

Found SBOM of media type: text/spdx+json
Detected base images from amd64 SBOM:
brew.registry.redhat.io/rh-osbs/openshift-golang-builder
registry.access.redhat.com/ubi9/ubi-micro

Images to be checked:
brew.registry.redhat.io/rh-osbs/openshift-golang-builder
registry.access.redhat.com/ubi9/ubi-micro

@chmeliik chmeliik requested review from a team as code owners January 15, 2025 09:11
@chmeliik
source-build: support SPDX SBOMs
848460a 
Support extracting the base image from both CycloneDX SBOMs and SPDX
SBOMs.

In an SPDX SBOM, the base/builder images are identified via JSON-encoded
annotations. Example:

        {
            "SPDXID": "SPDXRef-image-...
            "name": "registry.access.redhat.com/ubi9/ubi-micro",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:oci/ubi-micro@sha256:...?repository_url=..."
                }
            ],
            "annotations": [
                {
                    "annotator": "Tool: konflux:jsonencoded",
                    "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}",
                    "annotationDate": "2025-01-13T12:15:31Z",
                    "annotationType": "OTHER"
                }
            ]
        }

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
deprecated-image-check: support SPDX SBOMs
2a4ed4f 
Support extracting the base/builder images from both CycloneDX SBOMs
and SPDX SBOMs.

In an SPDX SBOM, the base/builder images are identified via JSON-encoded
annotations. Example:

        {
            "SPDXID": "SPDXRef-image-...
            "name": "registry.access.redhat.com/ubi9/ubi-micro",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:oci/ubi-micro@sha256:...?repository_url=..."
                }
            ],
            "annotations": [
                {
                    "annotator": "Tool: konflux:jsonencoded",
                    "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}",
                    "annotationDate": "2025-01-13T12:15:31Z",
                    "annotationType": "OTHER"
                }
            ]
        }

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik chmeliik force-pushed the base-images-from-spdx branch from d8ba4df to 2a4ed4f Compare January 15, 2025 09:16
@chmeliik
Copy link
Contributor Author

Added example of SPDX base image format to commit messages

@chmeliik chmeliik mentioned this pull request Jan 15, 2025
Closed
@chmeliik
Copy link
Contributor Author

/retest

2 similar comments
@chmeliik
Copy link
Contributor Author

/retest

@chmeliik
Copy link
Contributor Author

/retest

dirgim
dirgim approved these changes Jan 21, 2025
View reviewed changes
Copy link
Contributor

@dirgim dirgim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jsztuka
jsztuka approved these changes Jan 21, 2025
View reviewed changes
Copy link
Contributor

@jsztuka jsztuka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@chmeliik chmeliik added this pull request to the merge queue Jan 21, 2025
Merged via the queue into konflux-ci:main with commit c2003d9 Jan 21, 2025
15 checks passed
@rh-tap-build-team rh-tap-build-team bot mentioned this pull request Jan 21, 2025
Merged
@chmeliik chmeliik deleted the base-images-from-spdx branch January 21, 2025 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsztuka jsztuka jsztuka approved these changes

@dirgim dirgim dirgim approved these changes

@mkosiarc mkosiarc mkosiarc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@chmeliik @mkosiarc @dirgim @jsztuka