Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

source-build, deprecated-image-check: support reading base images from SPDX SBOMs #1824

Merged
merged 2 commits into from
Jan 21, 2025
Merged

source-build, deprecated-image-check: support reading base images from SPDX SBOMs #1824

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
848460a
source-build: support SPDX SBOMs
chmeliik Jan 9, 2025
2a4ed4f
deprecated-image-check: support SPDX SBOMs
chmeliik Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion task/deprecated-image-check/0.4/deprecated-image-check.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,18 @@ spec:
continue
fi

cat ${SBOM_FILE_PATH} | jq -r '.formulation? // empty | .[] | .components? // empty | .[] | select(any((.properties // empty)[]; .name | test("^konflux:container:is_(base|builder)_image"))) | .name' >> ${IMAGES_TO_BE_PROCESSED_PATH}
< "${SBOM_FILE_PATH}" jq -r '
if .bomFormat == "CycloneDX" then
.formulation[]?
| .components[]?
| select(any(.properties[]?; .name | test("^konflux:container:is_(base|builder)_image")))
| .name
else
.packages[]
| select(any(.annotations[]?.comment; (fromjson?).name? | test("^konflux:container:is_(base|builder)_image")?))
| .name
end
' >> "${IMAGES_TO_BE_PROCESSED_PATH}"
echo "Detected base images from $arch SBOM:"
cat "${IMAGES_TO_BE_PROCESSED_PATH}"
echo ""
Expand Down
28 changes: 20 additions & 8 deletions task/source-build-oci-ta/0.1/source-build-oci-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,16 +103,28 @@ spec:
fi

echo -n "Looking for base image in SBOM"
echo " (.formulation[].components[] with 'konflux:container:is_base_image' property)"

# Note: the SBOM should contain at most one image with the is_base_image property - the
# base image for the last FROM instruction. That is the only base image we care about.
jq -r '
.formulation[]?
| .components[]?
| select(any(.properties[]?; .name == "konflux:container:is_base_image"))
| (.purl | capture("^pkg:oci/.*?@(?<digest>.*?:[a-f0-9]*)")) as $matched
| .name + "@" + $matched.digest
' <<<"$sbom" | tee "$BASE_IMAGES_FILE"
if jq -e '.bomFormat == "CycloneDX"' <<<"$sbom" >/dev/null; then
echo " (.formulation[].components[] with 'konflux:container:is_base_image' property)"
jq -r '
.formulation[]?
| .components[]?
| select(any(.properties[]?; .name == "konflux:container:is_base_image"))
| (.purl | capture("^pkg:oci/.*?@(?<digest>.*?:[a-f0-9]*)")) as $matched
| .name + "@" + $matched.digest
' <<<"$sbom" | tee "$BASE_IMAGES_FILE"
else
echo ' (a package with a {"name": "konflux:container:is_base_image"} JSON-encoded annotation)'
jq -r '
.packages[]
| select(any(.annotations[]?.comment; (fromjson?).name? == "konflux:container:is_base_image"))
| [.externalRefs[]? | select(.referenceType == "purl").referenceLocator] as $purls
| ($purls | first | capture("^pkg:oci/.*?@(?<digest>.*?:[a-f0-9]*)")) as $matched
| .name + "@" + $matched.digest
' <<<"$sbom" | tee "$BASE_IMAGES_FILE"
fi
- name: build
image: quay.io/konflux-ci/source-container-build:latest@sha256:4002c18472e33b5f3d2b92e7897b0b31e4181dd5f8b8a3c4097937035e899ba3
workingDir: /var/workdir
Expand Down
28 changes: 20 additions & 8 deletions task/source-build/0.1/source-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,16 +90,28 @@ spec:
fi

echo -n "Looking for base image in SBOM"
echo " (.formulation[].components[] with 'konflux:container:is_base_image' property)"

# Note: the SBOM should contain at most one image with the is_base_image property - the
# base image for the last FROM instruction. That is the only base image we care about.
jq -r '
.formulation[]?
| .components[]?
| select(any(.properties[]?; .name == "konflux:container:is_base_image"))
| (.purl | capture("^pkg:oci/.*?@(?<digest>.*?:[a-f0-9]*)")) as $matched
| .name + "@" + $matched.digest
' <<< "$sbom" | tee "$BASE_IMAGES_FILE"
if jq -e '.bomFormat == "CycloneDX"' <<< "$sbom" >/dev/null; then
echo " (.formulation[].components[] with 'konflux:container:is_base_image' property)"
jq -r '
.formulation[]?
| .components[]?
| select(any(.properties[]?; .name == "konflux:container:is_base_image"))
| (.purl | capture("^pkg:oci/.*?@(?<digest>.*?:[a-f0-9]*)")) as $matched
| .name + "@" + $matched.digest
' <<< "$sbom" | tee "$BASE_IMAGES_FILE"
else
echo ' (a package with a {"name": "konflux:container:is_base_image"} JSON-encoded annotation)'
jq -r '
.packages[]
| select(any(.annotations[]?.comment; (fromjson?).name? == "konflux:container:is_base_image"))
| [.externalRefs[]? | select(.referenceType == "purl").referenceLocator] as $purls
| ($purls | first | capture("^pkg:oci/.*?@(?<digest>.*?:[a-f0-9]*)")) as $matched
| .name + "@" + $matched.digest
' <<< "$sbom" | tee "$BASE_IMAGES_FILE"
fi

- name: build
image: quay.io/konflux-ci/source-container-build:latest@sha256:4002c18472e33b5f3d2b92e7897b0b31e4181dd5f8b8a3c4097937035e899ba3
Expand Down
Loading