From 642b662b73511630f53eef750208651c769245b1 Mon Sep 17 00:00:00 2001 From: Wai Cheang Date: Wed, 30 Oct 2024 23:45:29 -0400 Subject: [PATCH] feat(ISV-5128): add new Tekton task to update component sboms Signed-off-by: Wai Cheang --- tasks/push-rpm-data-to-pyxis/README.md | 4 ++ .../push-rpm-data-to-pyxis.yaml | 25 +++++------ tasks/update-component-sbom/README.md | 10 +++++ tasks/update-component-sbom/tests/mock.sh | 13 ++++++ .../tests/pre-apply-task-hook.sh | 7 +++ .../test-update-component-sbom-basic.yaml | 38 ++++++++++++++++ .../update-component-sbom.yaml | 43 +++++++++++++++++++ 7 files changed, 126 insertions(+), 14 deletions(-) create mode 100644 tasks/update-component-sbom/README.md create mode 100644 tasks/update-component-sbom/tests/mock.sh create mode 100644 tasks/update-component-sbom/tests/pre-apply-task-hook.sh create mode 100644 tasks/update-component-sbom/tests/test-update-component-sbom-basic.yaml create mode 100644 tasks/update-component-sbom/update-component-sbom.yaml diff --git a/tasks/push-rpm-data-to-pyxis/README.md b/tasks/push-rpm-data-to-pyxis/README.md index fa6dce23d..cd1d177f7 100644 --- a/tasks/push-rpm-data-to-pyxis/README.md +++ b/tasks/push-rpm-data-to-pyxis/README.md @@ -13,6 +13,10 @@ all repository_id strings found in rpm purl strings in the sboms. | server | The server type to use. Options are 'production','production-internal,'stage-internal' and 'stage'. | Yes | production | | concurrentLimit | The maximum number of images to be processed at once | Yes | 4 | +## Changes in 1.0.4 +* Change SBOM download location to a subdir of the data workspace, so that other tasks can access the + downloaded SBOMs. + ## Changes in 1.0.3 * Updated the step image used in this task * Added handling for sbom entries that do not explicitly specify the publisher. diff --git a/tasks/push-rpm-data-to-pyxis/push-rpm-data-to-pyxis.yaml b/tasks/push-rpm-data-to-pyxis/push-rpm-data-to-pyxis.yaml index bd059d61b..0237e832a 100644 --- a/tasks/push-rpm-data-to-pyxis/push-rpm-data-to-pyxis.yaml +++ b/tasks/push-rpm-data-to-pyxis/push-rpm-data-to-pyxis.yaml @@ -4,7 +4,7 @@ kind: Task metadata: name: push-rpm-data-to-pyxis labels: - app.kubernetes.io/version: "1.0.3" + app.kubernetes.io/version: "1.0.4" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: release @@ -29,19 +29,19 @@ spec: type: string description: The maximum number of images to be processed at once default: 4 + - name: downloadedSbomPath + description: | + Path to download SBOM files onto. The name is differentiated from created or augmented sboms. + type: string + default: downloaded-sboms workspaces: - name: data - description: The workspace where the pyxis data json file resides - volumes: - - name: workdir - emptyDir: {} + description: | + The workspace where the pyxis data json file resides and where sboms will be downloaded to. steps: - name: download-sbom-files image: quay.io/konflux-ci/release-service-utils:e39e8d32c8263474c63fc1e922d7954d37e32374 - volumeMounts: - - mountPath: /workdir - name: workdir script: | #!/usr/bin/env bash set -eux @@ -54,8 +54,8 @@ spec: NUM_COMPONENTS=$(jq '.components | length' "${PYXIS_FILE}") - mkdir /workdir/sboms - cd /workdir/sboms + mkdir "$(workspaces.data.path)/$(params.downloadedSbomPath)" + cd "$(workspaces.data.path)/$(params.downloadedSbomPath)" DOCKER_CONFIG="$(mktemp -d)" export DOCKER_CONFIG @@ -107,9 +107,6 @@ spec: secretKeyRef: name: $(params.pyxisSecret) key: key - volumeMounts: - - mountPath: /workdir - name: workdir script: | #!/usr/bin/env sh set -eu @@ -138,7 +135,7 @@ spec: PYXIS_FILE="$(workspaces.data.path)/$(params.pyxisJsonPath)" - cd /workdir/sboms + cd "$(workspaces.data.path)/$(params.downloadedSbomPath)" N=$(params.concurrentLimit) # The maximum number of images to be processed at once declare -a jobs=() diff --git a/tasks/update-component-sbom/README.md b/tasks/update-component-sbom/README.md new file mode 100644 index 000000000..aa031d0a5 --- /dev/null +++ b/tasks/update-component-sbom/README.md @@ -0,0 +1,10 @@ +# update-component-sbom + +Tekton task to update component-level SBOMs with purls containing release-time info. + +## Parameters + +| Name | Description | Optional | Default value | +|---------------------|--------------------------------------------------------------------------|----------|------------------| +| dataJsonPath | Path to the JSON string of the merged data containing the release notes | No | - | +| downloadedSbomPath | Path to the directory holding previously downloaded SBOMs to be updated. | Yes | downloaded-sboms | diff --git a/tasks/update-component-sbom/tests/mock.sh b/tasks/update-component-sbom/tests/mock.sh new file mode 100644 index 000000000..28690beb0 --- /dev/null +++ b/tasks/update-component-sbom/tests/mock.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -eux + +function update_component_sbom() { + echo Mock update_component_sbom called with: "$*" + echo "$*" >> "$(workspaces.data.path)/mock_update.txt" + + if [[ "$*" != "update_component_sbom --data-path $(workspaces.data.path)/data.json --input-path $(workspaces.data.path)/downloaded-sboms --output-path $(workspaces.data.path)/updated-sboms" ]] + then + echo Error: Unexpected call + exit 1 + fi +} diff --git a/tasks/update-component-sbom/tests/pre-apply-task-hook.sh b/tasks/update-component-sbom/tests/pre-apply-task-hook.sh new file mode 100644 index 000000000..1069daa45 --- /dev/null +++ b/tasks/update-component-sbom/tests/pre-apply-task-hook.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +TASK_PATH=$1 +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +yq -i '.spec.steps[0].script = load_str("'"$SCRIPT_DIR"'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH" +yq -i '.spec.steps[0].script = load_str("'"$SCRIPT_DIR"'/mocks.sh") + .spec.steps[1].script' "$TASK_PATH" diff --git a/tasks/update-component-sbom/tests/test-update-component-sbom-basic.yaml b/tasks/update-component-sbom/tests/test-update-component-sbom-basic.yaml new file mode 100644 index 000000000..e3ecd2401 --- /dev/null +++ b/tasks/update-component-sbom/tests/test-update-component-sbom-basic.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: test-update-component-sbom-basic +spec: + description: | + Update a component-level SBOM where components contain only one purl. + workspaces: + - name: tests-workspace + tasks: + - name: run-task + workspaces: + - name: data + workspace: tests-workspace + taskRef: + name: update-component-sbom + params: + - name: dataJsonPath + value: "data.json" + - name: downloadedSbomPath + value: downloaded-sboms + - name: check-result + workspaces: + - name: data + workspace: tests-workspace + params: + - name: sbomPath + value: $(tasks.run-task.results.sbomPath) + taskSpec: + steps: + - name: check-result + image: quay.io/konflux-ci/release-service-utils:e39e8d32c8263474c63fc1e922d7954d37e32374 + script: | + #!/usr/bin/env bash + set -eux + + test "$(params.sbomPath)" == "$(workspaces.data.path)/updated-sboms" diff --git a/tasks/update-component-sbom/update-component-sbom.yaml b/tasks/update-component-sbom/update-component-sbom.yaml new file mode 100644 index 000000000..f62b6313c --- /dev/null +++ b/tasks/update-component-sbom/update-component-sbom.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: update-component-sbom + labels: + app.kubernetes.io/version: "0.0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Update component-level SBOM with purls with release-time info. + params: + - name: dataJsonPath + description: Relative path to the JSON data file in the workspace. + - name: downloadedSbomPath + description: | + Path to the directory holding previously downloaded SBOMs to be updated. + type: string + default: downloaded-sboms + workspaces: + - name: data + description: The workspace where the SBOM files reside. + results: + - name: sbomPath + description: Relative path to the updated component-level SBOM in the data workspace. + steps: + - name: update-component-sbom-purls + image: quay.io/konflux-ci/release-service-utils:e39e8d32c8263474c63fc1e922d7954d37e32374 + script: | + #!/usr/bin/env bash + set -eux + + INPUT_PATH="$(workspaces.data.path)/$(params.downloadedSbomPath)" + OUTPUT_PATH="$(workspaces.data.path)/updated-sboms" + + update_component_sbom \ + --data-path "$(workspaces.data.path)/$(params.dataJsonPath)" \ + --input-path "$INPUT_PATH" \ + --output-path "$OUTPUT_PATH" + + echo -n "$OUTPUT_PATH" > "$(results.sbomPath.path)"