buildah/0.3: support generating SPDX SBOMs #1825
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chmeliik
force-pushed
the
buildah-spdx
branch
from
c154b5d to
93ebbeb
Compare
Merge all the syft SBOMs with the cachi2 SBOM (if present) using the merge_sboms.py script, which supports this since konflux-ci/build-tasks-dockerfiles#208 Also change the shebang to #/bin/bash with the usual 'set' options to avoid ShellCheck warnings about arrays being undefined in Posix sh. Signed-off-by: Adam Cmiel <[email protected]>
Add an SBOM_TYPE parameter, defaulting to 'cyclonedx' for now. This parameter determines the format of the Syft-generated SBOMs. These must match the format of the SBOM coming from the prefetch task (if any), otherwise the SBOM merging will fail. Only the 0.3 version gets this parameter. The 0.2 version still has the Java SBOM code, whose SPDX support status is unknown. Signed-off-by: Adam Cmiel <[email protected]>
For SPDX, the add_image_reference script has to run before the base_images script. The reason: for each base image, the base_images script also adds a `<base image> BUILD_TOOL_OF <output image>` relationship to the SBOM. The script identifies the output image by searching for `<document root> DESCRIBES <package>` relationships and checks that there is exactly one such relationship. Before the add_image_reference script runs, there can be multiple DESCRIBES relationships. Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Adam Cmiel <[email protected]>
chmeliik
force-pushed
the
buildah-spdx
branch
from
93ebbeb to
5664838
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit messages for more details
Depends on #1798 and a subsequent Renovate update (the current revision of the sbom-utility-scripts image doesn't include the SPDX support yet)
Tested in redhat-appstudio/rh-syft#105 (using a test build of the sbom-utility-scripts image)