feat(KONFLUX-2742) add a file upload function

The intent is to use this in the snyk sast task to upload the sarif result to the registry for later post-processing by other systems. Signed-off-by: Ralph Bean <[email protected]>
konflux-ci · Apr 19, 2024 · ab2dc70 · ab2dc70
1 parent cc49e74
commit ab2dc70
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -2,6 +2,8 @@
 FROM docker.io/snyk/snyk:linux@sha256:c7f21c3d71f64d592e427e78d5043375c9b93e304f70fdbbd8ca7306cbb0ba1f as snyk
 FROM quay.io/enterprise-contract/ec-cli:snapshot@sha256:141a7cd25ce0d098b1e40fd75d6f75873f8709c5f96f6340993b269c56e3f387 AS ec-cli
 FROM gcr.io/projectsigstore/cosign:v1.13.6@sha256:366bf5a7e882e9748e2b05f620258f8eab89ef4e3597001279291a88486c4fdf as cosign-bin
+#FROM quay.io/konflux-ci/oras:latest as oras
+FROM quay.io/redhat-user-workloads/ralphjbean-tenant/oras/oras:f281406da00d033e9f99a4d2010a66b69257972e as oras
 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612
 
 # Note that the version of OPA used by pr-checks must be updated manually to reflect conftest updates
@@ -50,6 +52,7 @@ COPY --from=ec-cli /usr/bin/ec /usr/local/bin/ec
 
 COPY --from=cosign-bin /ko-app/cosign /usr/local/bin/cosign
 
+COPY --from=oras /usr/bin/oras /usr/local/bin/oras
 
 COPY policies $POLICY_PATH
 COPY test/conftest.sh $POLICY_PATH

diff --git a/test/utils.sh b/test/utils.sh
@@ -148,13 +148,60 @@ parse_test_output() {
     then
       echo "Task $TEST_NAME failed because of the following issues:"
       jq '.[].failures // []|map(.metadata.details.name) | unique' "$TEST_RESULT_FILE"
-    fi    
+    fi
   else
     echo "Unsupported TEST_RESULT_FORMAT $TEST_RESULT_FORMAT"
     exit 1
   fi
 }
 
+# Push a file to quay registry
+upload_file() {
+  # The artifact to which the file pertains
+  OCI_SUBJECT=$1
+  # The type of the file
+  MEDIA_TYPE=$2
+  # The suffix of the tag to push
+  SUFFIX=$3
+  # The file to upload
+  UPLOAD_FILE=$4
+
+  if [ -z "$OCI_SUBJECT" ]; then
+    echo "Missing parameter OCI_SUBJECT" >&2
+    exit 2
+  fi
+  if [ -z "$MEDIA_TYPE" ]; then
+    echo "Missing parameter MEDIA_TYPE" >&2
+    exit 2
+  fi
+  if [ -z "$SUFFIX" ]; then
+    echo "Missing parameter SUFFIX" >&2
+    exit 2
+  fi
+  if [ -z "$UPLOAD_FILE" ]; then
+    echo "Missing parameter UPLOAD_FILE" >&2
+    exit 2
+  fi
+
+  if [ ! -f "$UPLOAD_FILE" ]; then
+    echo "File ${UPLOAD_FILE} doesn't exist" >&2
+    exit 2
+  fi
+
+  if ! raw_inspect_output=$(skopeo inspect --no-tags docker://"${OCI_SUBJECT}"); then
+    echo "Failed to inspect ${OCI_SUBJECT}" >&2
+    exit 2
+  fi
+  if ! DIGEST=$(echo "${raw_inspect_output}" | jq -r .Digest | sed 's/:/-/'); then
+    echo "Failed to identify digest of ${OCI_SUBJECT}"
+    exit 2
+  fi
+
+  REPO=$(echo "$OCI_SUBJECT" | awk -F ':' '{ print $1 }' | awk -F '@' '{ print $1 }')
+
+  oras push --no-tty "${REPO}:${DIGEST}.${SUFFIX}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
+}
+
 # The function will be used by the tekton tasks of build-definitions
 # It need tekton result path as parameter when generating TEST_OUTPUT task result is needed
 handle_error()

diff --git a/unittests_bash/test_utils.bats b/unittests_bash/test_utils.bats
@@ -31,6 +31,15 @@ setup() {
         fi
     }
 
+    oras() {
+        if [[ $1 == "push" && $2 == "--no-tty" && $3 == "valid-image-manifest-url:sha256-826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d.sarif" && $4 == "unittests_bash/data/sarif_successes.json:application/sarif+json" ]]; then
+            echo 'Pushed [registry] valid-image-manifest-url:sha256-826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d.sarif'
+            echo 'Digest: sha256:826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d'
+        else
+            echo 'Unrecognized call to mock oras'
+            return 1
+        fi
+    }
 }
 
 @test "Result: missing result" {
@@ -113,6 +122,14 @@ setup() {
     test_json_eq "${EXPECTED_JSON}" "${TEST_OUTPUT}"
 }
 
+@test "ORAS upload: sarif file" {
+    TEST_OUTPUT=$(upload_file valid-image-manifest-url application/sarif+json sarif unittests_bash/data/sarif_successes.json)
+    EXPECTED_OUTPUT='Pushed [registry] valid-image-manifest-url:sha256-826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d.sarif
+Digest: sha256:826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d'
+    /usr/bin/diff -u <(echo "$TEST_OUTPUT") <(echo "$EXPECTED_OUTPUT")
+    [[ "${EXPECTED_OUTPUT}" = "${TEST_OUTPUT}" ]]
+}
+
 @test "Get Image Index Manifests: missing IMAGE_URL" {
     run get_image_manifests
     [ "$status" -eq 2 ]