feat(ISV-5128): add new Tekton task to update component sboms

Signed-off-by: Wai Cheang <[email protected]>
konflux-ci · Nov 5, 2024 · 642b662 · 642b662
1 parent 9f6cd13
commit 642b662
Show file tree

Hide file tree

Showing 7 changed files with 126 additions and 14 deletions.
diff --git a/tasks/push-rpm-data-to-pyxis/README.md b/tasks/push-rpm-data-to-pyxis/README.md
@@ -13,6 +13,10 @@ all repository_id strings found in rpm purl strings in the sboms.
 | server          | The server type to use. Options are 'production','production-internal,'stage-internal' and 'stage'. | Yes      | production    |
 | concurrentLimit | The maximum number of images to be processed at once                                                | Yes      | 4             |
 
+## Changes in 1.0.4
+* Change SBOM download location to a subdir of the data workspace, so that other tasks can access the
+  downloaded SBOMs.
+
 ## Changes in 1.0.3
 * Updated the step image used in this task
   * Added handling for sbom entries that do not explicitly specify the publisher.

diff --git a/tasks/push-rpm-data-to-pyxis/push-rpm-data-to-pyxis.yaml b/tasks/push-rpm-data-to-pyxis/push-rpm-data-to-pyxis.yaml
@@ -4,7 +4,7 @@ kind: Task
 metadata:
   name: push-rpm-data-to-pyxis
   labels:
-    app.kubernetes.io/version: "1.0.3"
+    app.kubernetes.io/version: "1.0.4"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -29,19 +29,19 @@ spec:
       type: string
       description: The maximum number of images to be processed at once
       default: 4
+    - name: downloadedSbomPath
+      description: | 
+        Path to download SBOM files onto. The name is differentiated from created or augmented sboms.
+      type: string
+      default: downloaded-sboms
   workspaces:
     - name: data
-      description: The workspace where the pyxis data json file resides
-  volumes:
-    - name: workdir
-      emptyDir: {}
+      description: |
+        The workspace where the pyxis data json file resides and where sboms will be downloaded to.
   steps:
     - name: download-sbom-files
       image:
         quay.io/konflux-ci/release-service-utils:e39e8d32c8263474c63fc1e922d7954d37e32374
-      volumeMounts:
-        - mountPath: /workdir
-          name: workdir
       script: |
         #!/usr/bin/env bash
         set -eux
@@ -54,8 +54,8 @@ spec:
 
         NUM_COMPONENTS=$(jq '.components | length' "${PYXIS_FILE}")
 
-        mkdir /workdir/sboms
-        cd /workdir/sboms
+        mkdir "$(workspaces.data.path)/$(params.downloadedSbomPath)"
+        cd "$(workspaces.data.path)/$(params.downloadedSbomPath)"
         DOCKER_CONFIG="$(mktemp -d)"
         export DOCKER_CONFIG
 
@@ -107,9 +107,6 @@ spec:
             secretKeyRef:
               name: $(params.pyxisSecret)
               key: key
-      volumeMounts:
-        - mountPath: /workdir
-          name: workdir
       script: |
         #!/usr/bin/env sh
         set -eu
@@ -138,7 +135,7 @@ spec:
 
         PYXIS_FILE="$(workspaces.data.path)/$(params.pyxisJsonPath)"
 
-        cd /workdir/sboms
+        cd "$(workspaces.data.path)/$(params.downloadedSbomPath)"
 
         N=$(params.concurrentLimit)  # The maximum number of images to be processed at once
         declare -a jobs=()

diff --git a/tasks/update-component-sbom/README.md b/tasks/update-component-sbom/README.md
@@ -0,0 +1,10 @@
+# update-component-sbom
+
+Tekton task to update component-level SBOMs with purls containing release-time info.
+
+## Parameters
+
+| Name                | Description                                                              | Optional | Default value    |
+|---------------------|--------------------------------------------------------------------------|----------|------------------|
+| dataJsonPath        | Path to the JSON string of the merged data containing the release notes  | No       | -                |
+| downloadedSbomPath  | Path to the directory holding previously downloaded SBOMs to be updated. | Yes      | downloaded-sboms |
diff --git a/tasks/update-component-sbom/tests/mock.sh b/tasks/update-component-sbom/tests/mock.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -eux
+
+function update_component_sbom() {
+  echo Mock update_component_sbom called with: "$*"
+  echo "$*" >> "$(workspaces.data.path)/mock_update.txt"
+
+  if [[ "$*" != "update_component_sbom --data-path $(workspaces.data.path)/data.json --input-path $(workspaces.data.path)/downloaded-sboms --output-path $(workspaces.data.path)/updated-sboms" ]]
+  then
+    echo Error: Unexpected call
+    exit 1
+  fi
+}
diff --git a/tasks/update-component-sbom/tests/pre-apply-task-hook.sh b/tasks/update-component-sbom/tests/pre-apply-task-hook.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+TASK_PATH=$1
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+yq -i '.spec.steps[0].script = load_str("'"$SCRIPT_DIR"'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH"
+yq -i '.spec.steps[0].script = load_str("'"$SCRIPT_DIR"'/mocks.sh") + .spec.steps[1].script' "$TASK_PATH"
diff --git a/tasks/update-component-sbom/tests/test-update-component-sbom-basic.yaml b/tasks/update-component-sbom/tests/test-update-component-sbom-basic.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: test-update-component-sbom-basic
+spec:
+  description: |
+    Update a component-level SBOM where components contain only one purl.
+  workspaces:
+    - name: tests-workspace
+  tasks:
+    - name: run-task
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskRef:
+        name: update-component-sbom
+      params:
+        - name: dataJsonPath
+          value: "data.json"
+        - name: downloadedSbomPath
+          value: downloaded-sboms
+    - name: check-result
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      params:
+        - name: sbomPath
+          value: $(tasks.run-task.results.sbomPath)
+      taskSpec:
+        steps:
+          - name: check-result
+            image: quay.io/konflux-ci/release-service-utils:e39e8d32c8263474c63fc1e922d7954d37e32374
+            script: |
+              #!/usr/bin/env bash
+              set -eux
+              
+              test "$(params.sbomPath)" == "$(workspaces.data.path)/updated-sboms"
diff --git a/tasks/update-component-sbom/update-component-sbom.yaml b/tasks/update-component-sbom/update-component-sbom.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: update-component-sbom
+  labels:
+    app.kubernetes.io/version: "0.0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: release
+spec:
+  description: >-
+    Update component-level SBOM with purls with release-time info.
+  params:
+    - name: dataJsonPath
+      description: Relative path to the JSON data file in the workspace.
+    - name: downloadedSbomPath
+      description: |
+        Path to the directory holding previously downloaded SBOMs to be updated.
+      type: string
+      default: downloaded-sboms
+  workspaces:
+    - name: data
+      description: The workspace where the SBOM files reside.
+  results:
+    - name: sbomPath
+      description: Relative path to the updated component-level SBOM in the data workspace.
+  steps:
+    - name: update-component-sbom-purls
+      image: quay.io/konflux-ci/release-service-utils:e39e8d32c8263474c63fc1e922d7954d37e32374
+      script: |
+        #!/usr/bin/env bash
+        set -eux
+        
+        INPUT_PATH="$(workspaces.data.path)/$(params.downloadedSbomPath)"
+        OUTPUT_PATH="$(workspaces.data.path)/updated-sboms"
+        
+        update_component_sbom \
+        --data-path "$(workspaces.data.path)/$(params.dataJsonPath)" \
+        --input-path "$INPUT_PATH" \
+        --output-path "$OUTPUT_PATH"
+        
+        echo -n "$OUTPUT_PATH" > "$(results.sbomPath.path)"