Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add script for generating SBOM from oci-copy.yaml #226

Merged
merged 4 commits into from
Jan 27, 2025
Merged

Add script for generating SBOM from oci-copy.yaml #226

merged 4 commits into from
Jan 27, 2025

Conversation

chmeliik
Copy link
Contributor

This should be a saner way to generate SBOMs from oci-copy.yaml compared to what the task is currently doing. Especially now that SPDX support is needed as well.

@chmeliik chmeliik mentioned this pull request Jan 14, 2025
Merged
@chmeliik chmeliik force-pushed the oci-copy-sbom-script branch from b85b708 to c21cdb4 Compare January 14, 2025 14:15
@chmeliik chmeliik force-pushed the oci-copy-sbom-script branch 2 times, most recently from 2f17818 to 5f30f1b Compare January 23, 2025 13:03
@chmeliik
Add script for generating SBOM from oci-copy.yaml
bd9d333 
Needed for the oci-copy task [1] in build-definitions

Note: unlike the oci-copy task script, this script doesn't put anything
useful in the .metadata.component attribute. That's OK, because this
script should be used in tandem with the add_image_reference script,
which will set that attribute.

[1]: https://github.com/konflux-ci/build-definitions/blob/main/task/oci-copy/0.1/oci-copy.yaml

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
sbom_for_oci_copy: support SPDX
5ff3539 
Note: the top-level attributes in the SPDX SBOM are mostly based on the
index_image_sbom_script script

Note 2: the SBOM's top-level name attribute and the fake_root package
are mostly irrelevant, because this script should be used in tandem with
the add_image_reference script, which will replace both.

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
Add sbom_for_oci_copy_task.py script to image
fde7d1a 
Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik chmeliik marked this pull request as ready for review January 23, 2025 13:50
@chmeliik chmeliik requested a review from a team as a code owner January 23, 2025 13:50
@chmeliik
Copy link
Contributor Author

/retest

@chmeliik
Copy link
Contributor Author

Tested in konflux-ci/build-definitions#1816 => transitively in ralphbean/merlinite-poc#17

@chmeliik chmeliik force-pushed the oci-copy-sbom-script branch from 5f30f1b to fde7d1a Compare January 23, 2025 13:53
@chmeliik
Copy link
Contributor Author

/retest

ralphbean
ralphbean approved these changes Jan 24, 2025
View reviewed changes
Copy link
Member

@ralphbean ralphbean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@chmeliik
CI: run sbom-for-oci-copy-task unit tests
f7bc197 
Also fix a typo in the workflow yaml

Signed-off-by: Adam Cmiel <[email protected]>
@chmeliik
Copy link
Contributor Author

Forgot to run the unit tests for the new script in CI. Added in latest commit

@chmeliik chmeliik merged commit 46240c4 into konflux-ci:main Jan 27, 2025
3 checks passed
@chmeliik chmeliik deleted the oci-copy-sbom-script branch January 27, 2025 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmorhun mmorhun mmorhun approved these changes

@ralphbean ralphbean ralphbean approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chmeliik @ralphbean @mmorhun