From cff492d7c2e4adb6ca209ce638bee44e3ab0fbeb Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 19 Dec 2024 16:43:32 -0500 Subject: [PATCH] feat: introduce content manifest with content sets For backwards compatibility with image scanners that still expect https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 43 ++++++++++++++++++-- task/buildah/0.2/buildah.yaml | 44 +++++++++++++++++++-- 2 files changed, 79 insertions(+), 8 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 47505c94fb..fe11953d7a 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -518,16 +518,51 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /shared/container_path) -xtype l -delete - echo $container >/shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + + # Inject a content sets file for backwards compatibility + # This is only possible for images built hermetically with prefetch + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') + base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + cat >content-sets.json <content-sets.json.tmp + mv content-sets.json.tmp content-sets.json + done <<<"$(jq -r '.components[].purl' | grep -o -P '(?<=repository_id=).*(?=(&|$))' sbom-cachi2.json | sort -u)" + + echo "Writing to /root/buildinfo/content_manifests/content-sets.json" + buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ + buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" + + BUILDAH_ARGS=() + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" + # End content sets backwards compatibility fi + buildah mount $container | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container >/shared/container_name + touch /shared/base_images_digests for image in $BASE_IMAGES; do base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image") diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 35af0fde84..8410d8c3d4 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -450,16 +450,52 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /shared/container_path) -xtype l -delete - echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + + # Inject a content sets file for backwards compatibility + # This is only possible for images built hermetically with prefetch + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') + base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + cat >content-sets.json < content-sets.json.tmp + mv content-sets.json.tmp content-sets.json + done <<< "$(jq -r '.components[].purl' | grep -o -P '(?<=repository_id=).*(?=(&|$))' sbom-cachi2.json | sort -u)" + + echo "Writing to /root/buildinfo/content_manifests/content-sets.json" + buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ + buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" + + BUILDAH_ARGS=() + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" + # End content sets backwards compatibility fi + buildah mount $container | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container > /shared/container_name + touch /shared/base_images_digests for image in $BASE_IMAGES; do base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")