Skip to content

Commit

Permalink
Merge pull request #181 from Allda/ISV-5411
Browse files Browse the repository at this point in the history 
Add a script for sbom enrichment
  • Loading branch information
@chmeliik
chmeliik authored Nov 21, 2024
2 parents 4770c7c + d4b3f63 commit 377a181
Show file tree
Hide file tree
Showing 8 changed files with 862 additions and 6 deletions.
15 changes: 10 additions & 5 deletions .github/workflows/build-sbom-utility-scripts-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:
paths:
- .github/workflows/build-sbom-utility-scripts-image.yml
- sbom-utility-scripts/**

pull_request:
branches:
- main
Expand All @@ -19,15 +19,15 @@ on:
env:
REGISTRY: quay.io/redhat-appstudio
IMAGE_NAME: sbom-utility-scripts-image

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
Expand All @@ -38,7 +38,7 @@ jobs:
python3 -m pip install tox
cd ./sbom-utility-scripts/scripts/base-images-sbom-script/app/
tox
- name: Run tox checks for merge-cachi2-sboms-script
run: |
python3 -m pip install tox
Expand All @@ -51,6 +51,12 @@ jobs:
cd ./sbom-utility-scripts/scripts/index-image-sbom-script/
tox
- name: Run tox checks for index-image-sbom-script
run: |
python3 -m pip install tox
cd ./sbom-utility-scripts/scripts/add-image-reference-script/
tox
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@v2
Expand All @@ -72,4 +78,3 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}

8 changes: 7 additions & 1 deletion sbom-utility-scripts/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,10 @@ COPY scripts/base-images-sbom-script/app/requirements.txt /scripts/base-images-s
COPY scripts/index-image-sbom-script/requirements.txt /scripts/index-image-sbom-script-requirements.txt
COPY scripts/index-image-sbom-script/index_image_sbom_script.py /scripts

RUN pip3 install -r base-images-sbom-script-requirements.txt -r index-image-sbom-script-requirements.txt
COPY scripts/add-image-reference-script/add_image_reference.py /scripts
COPY scripts/add-image-reference-script/requirements.txt /scripts/add-image-reference-requirements.txt

RUN pip3 install --no-cache-dir \
-r base-images-sbom-script-requirements.txt \
-r index-image-sbom-script-requirements.txt \
-r add-image-reference-requirements.txt
144 changes: 144 additions & 0 deletions sbom-utility-scripts/scripts/add-image-reference-script/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# Add image reference script

The script aims to enrich the SBOM file with additional information about the output image used in the build process.
Based on a input SBOM type, the script updates certain fields with the image reference information. This is needed
to provide a complete SBOM file that can be used for further analysis.

## Usage

```bash
python add_image_reference.py \
--input-file ./input-sbom.json \
--output-file ./updated-sbom.json \
--image-url quay.io/foo/bar/ubi8:1.1 \
--image-digest sha256:011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc
```
The script stores the updated SBOM in the output path provided.

## List of updates
### SPDX
The script updates the following fields in the SPDX SBOM:SHA256
- `packages` - the script adds a new package with the image reference information
- `relationships` - the script adds a new relationship between the package and the image reference
- `name` - the script adds the image reference as a name

The logic of adding new packages and updating replationships is visualized in the following diagram:
```
example SPDX SBOM:
ROOT
/ \
/ \
DESCRIBES DESCRIBES
/ \
/ \
<pip main package> <npm main package>
| |
| |
CONTAINS CONTAINS
| |
| |
<pip deps> <npm deps>
SBOM after enrichment:
ROOT
|
|
DESCRIBES
|
|
<container>
/ \
/ \
CONTAINS CONTAINS
/ \
/ \
<pip main package> <npm main package>
| |
| |
CONTAINS CONTAINS
| |
| |
<pip deps> <npm deps>
```

#### Example
```json
{
"name": "quay.io/foo/bar/ubi8@sha256:011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc",
"packages": [
{
"SPDXID": "SPDXRef-image",
"name": "ubi8",
"versionInfo": "1.1",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION",
"supplier": "NOASSERTION",
"externalRefs": [
{
"referenceLocator": "pkg:oci/ubi8@sha256:011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc?repository_url=quay.io/foo/bar/ubi8",
"referenceType": "purl",
"referenceCategory": "PACKAGE-MANAGER"
}
],
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc"
}
]
},
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-image"
},
]
}

```

### CycloneDX
- `components` - the script adds a new component with the image reference information
- `metadata.component` - the script adds the image reference as a metadata.component

#### Example
```json
{
"metadata": {
"component": {
"type": "container",
"name": "ubi8",
"purl": "pkg:oci/ubi8@sha256:011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc?repository_url=quay.io/foo/bar/ubi8",
"version": "1.1",
"publisher": "Red Hat, Inc.",
"hashes": [
{
"alg": "SHA-256",
"content": "011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc"
}
]
},
},
"components": [
{
"type": "container",
"name": "ubi8",
"purl": "pkg:oci/ubi8@sha256:011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc?repository_url=quay.io/foo/bar/ubi8",
"version": "1.1",
"publisher": "Red Hat, Inc.",
"hashes": [
{
"alg": "SHA-256",
"content": "011ff0cd8f34588d3eca86da97619f7baf99c8cc12e24cc3a7f337873c8d36cc"
}
]
},
]
}
```
Loading

0 comments on commit 377a181

Please sign in to comment.