feat: Add job for building sboms

gtema · gtema · commit 8abaca7d5b8a · 2024-09-11T10:05:07.000+02:00
Signed-off-by: Artem Goncharov &lt;artem.goncharov@gmail.com&gt;
diff --git a/playbooks/sbom/post.yaml b/playbooks/sbom/post.yaml
@@ -0,0 +1,3 @@
+---
+- hosts: all
+  tasks:
diff --git a/playbooks/sbom/pre.yaml b/playbooks/sbom/pre.yaml
@@ -0,0 +1,13 @@
+---
+- hosts: all
+  roles:
+    - ensure-trivy
+    - ensure-syft
+  tasks:
+    - name: "Create SBOMs directory"
+      ansible.builtin.file:
+        path: "{{ ansible_user_dir }}/zuul-output/artifacts/sboms"
+        state: "directory"
+        mode: 0755
+
+
diff --git a/playbooks/sbom/run.yaml b/playbooks/sbom/run.yaml
@@ -0,0 +1,12 @@
+---
+- hosts: all
+  tasks:
+    - name: Generate report with syft
+      ansible.builtin.include_role:
+        name: "generate-sbom-syft"
+      vars:
+        generate_sbom_syft_source: "{{ zj_item.registry }}/{{ zj_item.name }}:{{ zj_item.tag }}"
+        generate_sbom_syft_path: "{{ ansible_user_dir }}/zuul-output/artifacts/sboms/{{ zj_item.name }}.syft.json"
+      loop: "{{ images }}"
+      loop_control:
+        loop_var: zj_item
diff --git a/roles/ensure-base/README.rst b/roles/ensure-base/README.rst
@@ -0,0 +1,19 @@
+Install binary tool from GitHub
+
+**Role Variables**
+
+.. zuul:rolevar:: ensure_base_install_dir
+   :default: /usr/local/bin
+
+   Directory to install binary in.
+
+.. zuul:rolevar:: ensure_base_version
+   :default: latest
+
+   Version of tool
+
+.. zuul:rolevar:: ensure_base_os
+   :default: {{ ansible_system | lower }}
+
+.. zuul:rolevar:: ensure_base_arch
+   :default: amd64 / 386
diff --git a/roles/ensure-base/defaults/main.yaml b/roles/ensure-base/defaults/main.yaml
@@ -0,0 +1,10 @@
+ensure_base_name: ""
+ensure_base_github_owner: ""
+ensure_base_github_repo: ""
+ensure_base_version: "latest"
+ensure_base_tag: "v{{ ensure_base_version }}"
+ensure_base_download_prefix: "https://github.com/{{ ensure_base_github_owner }}/{{ ensure_base_github_repo }}/releases/download"
+ensure_base_release_info_url_prefix: "https://github.com/{{ ensure_base_github_owner }}/{{ ensure_base_github_repo }}/releases/"
+ensure_base_os: "{{ ansible_system | lower }}"
+ensure_base_arch: "{{ ensure_base_arch_translation[ansible_architecture] }}"
+ensure_base_install_dir: "/usr/local/bin"
diff --git a/roles/ensure-base/tasks/install.yaml b/roles/ensure-base/tasks/install.yaml
@@ -0,0 +1,30 @@
+- name: Create temp directory
+  ansible.builtin.tempfile:
+    state: directory
+  register: ensure_base_archive_tempdir
+
+- name: Get GitHub release info
+  ansible.builtin.uri:
+    url: "{{ ensure_base_release_info_url_prefix }}/{{ (ensure_base_version == 'latest') | ternary(ensure_base_version, ensure_base_tag) }}"
+    headers:
+      accept: "application/json"
+  register: ensure_base_release_info
+
+- name: Download {{ ensure_base_name }} checksums
+  ansible.builtin.uri:
+    url: "{{ ensure_base_download_prefix }}/{{ ensure_base_release_info.json.tag_name }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_checksums.txt"
+    return_content: true
+  register: ensure_base_checksums
+
+- name: Download {{ ensure_base_name }} archive
+  ansible.builtin.get_url:
+    url: "{{ ensure_base_download_prefix }}/{{ ensure_base_release_info.json.tag_name }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_base_os }}_{{ ensure_base_arch }}.tar.gz"
+    dest: "{{ ensure_base_archive_tempdir.path }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_base_os }}_{{ ensure_base_arch }}.tar.gz"
+    checksum: "sha256:{{ ensure_base_checksums.content | regex_search('(?P<checksum>.*)\\b\\s+'+ensure_base_name+'_'+(ensure_base_release_info.json.tag_name | regex_replace('^v',''))+'_'+ensure_base_os+'_'+ensure_base_arch+'.tar.gz', '\\g<checksum>') }}"
+
+- name: Install {{ ensure_base_name }}
+  ansible.builtin.unarchive:
+    src: "{{ ensure_base_archive_tempdir.path }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_base_os }}_{{ ensure_base_arch }}.tar.gz"
+    dest: "{{ ensure_base_install_dir }}"
+    remote_src: yes
+  become: true
diff --git a/roles/ensure-base/tasks/main.yaml b/roles/ensure-base/tasks/main.yaml
@@ -0,0 +1,12 @@
+- name: Check installed {{ ensure_base_name }} version
+  ansible.builtin.command: "{{ ensure_base_name }} version"
+  register: ensure_base_installed_version
+  environment:
+    PATH: "{{ ansible_env.PATH }}:{{ ensure_base_install_dir }}"
+  failed_when: false
+
+- name: Skip if correct version of {{ ensure_base_name }} is installed
+  ansible.builtin.include_tasks: install.yaml
+  when:
+    - ensure_base_installed_version.rc != 0 or
+      ensure_base_version != (ensure_base_installed_version.stdout|regex_replace(ensure_base_version_pattern, '\\g<version>'))
diff --git a/roles/ensure-base/vars/main.yaml b/roles/ensure-base/vars/main.yaml
@@ -0,0 +1,6 @@
+ensure_base_arch_translation:
+  amd64: amd64
+  x86_64: amd64
+  i386: 386
+
+ensure_base_version_pattern: ^{{ ensure_base_name }} (?P<version>.*?)$
diff --git a/roles/ensure-syft/README.rst b/roles/ensure-syft/README.rst
@@ -0,0 +1,8 @@
+Install Anchore Syft
+
+**Role Variables**
+
+.. zuul:rolevar:: syft_version
+   :default: latest
+
+   Version of syft
diff --git a/roles/ensure-syft/defaults/main.yaml b/roles/ensure-syft/defaults/main.yaml
@@ -0,0 +1,2 @@
+---
+ensure_syft_version: "1.11.1"
diff --git a/roles/ensure-syft/tasks/main.yaml b/roles/ensure-syft/tasks/main.yaml
@@ -0,0 +1,8 @@
+- name: Import ensure-base role
+  ansible.builtin.import_role:
+    name: ensure-base
+  vars:
+    ensure_base_name: "syft"
+    ensure_base_github_owner: "anchore"
+    ensure_base_github_repo: "syft"
+    ensure_base_version: "{{ ensure_syft_version }}"
diff --git a/roles/ensure-trivy/README.rst b/roles/ensure-trivy/README.rst
@@ -0,0 +1,8 @@
+Install Anchore Syft
+
+**Role Variables**
+
+.. zuul:rolevar:: syft_version
+   :default: latest
+
+   Version of syft
diff --git a/roles/ensure-trivy/defaults/main.yaml b/roles/ensure-trivy/defaults/main.yaml
@@ -0,0 +1,15 @@
+---
+ensure_trivy_version: "0.55.0"
+ensure_trivy_name: "trivy"
+ensure_trivy_github_owner: "aquasecurity"
+ensure_trivy_github_repo: "trivy"
+ensure_trivy_version: "0.55.0"
+ensure_trivy_tag: "v{{ ensure_trivy_version }}"
+ensure_trivy_download_prefix: "https://github.com/{{ ensure_trivy_github_owner }}/{{ ensure_trivy_github_repo }}/releases/download"
+ensure_trivy_release_info_url_prefix: "https://github.com/{{ ensure_trivy_github_owner }}/{{ ensure_trivy_github_repo }}/releases/"
+ensure_trivy_os: "{{ ansible_system }}"
+ensure_trivy_arch: "{{ ensure_trivy_arch_translation[ansible_architecture] }}"
+ensure_trivy_install_dir: "/usr/local/bin"
+ensure_trivy_arch_translation:
+  amd64: "64bit"
+  x86_64: "64bit"
diff --git a/roles/ensure-trivy/tasks/main.yaml b/roles/ensure-trivy/tasks/main.yaml
@@ -0,0 +1,31 @@
+---
+- name: Create temp directory
+  ansible.builtin.tempfile:
+    state: directory
+  register: ensure_trivy_archive_tempdir
+
+- name: Get GitHub release info
+  ansible.builtin.uri:
+    url: "{{ ensure_trivy_release_info_url_prefix }}/{{ (ensure_trivy_version == 'latest') | ternary(ensure_trivy_version, ensure_trivy_tag) }}"
+    headers:
+      accept: "application/json"
+  register: ensure_trivy_release_info
+
+- name: Download {{ ensure_trivy_name }} checksums
+  ansible.builtin.uri:
+    url: "{{ ensure_trivy_download_prefix }}/{{ ensure_trivy_release_info.json.tag_name }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_checksums.txt"
+    return_content: true
+  register: ensure_trivy_checksums
+
+- name: Download {{ ensure_trivy_name }} archive
+  ansible.builtin.get_url:
+    url: "{{ ensure_trivy_download_prefix }}/{{ ensure_trivy_release_info.json.tag_name }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_trivy_os }}-{{ ensure_trivy_arch }}.tar.gz"
+    dest: "{{ ensure_trivy_archive_tempdir.path }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_trivy_os }}-{{ ensure_trivy_arch }}.tar.gz"
+    checksum: "sha256:{{ ensure_trivy_checksums.content | regex_search('(?P<checksum>.*)\\b\\s+'+ensure_trivy_name+'_'+(ensure_trivy_release_info.json.tag_name | regex_replace('^v',''))+'_'+ensure_trivy_os+'-'+ensure_trivy_arch+'.tar.gz', '\\g<checksum>') }}"
+
+- name: Install {{ ensure_trivy_name }}
+  ansible.builtin.unarchive:
+    src: "{{ ensure_trivy_archive_tempdir.path }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_trivy_os }}-{{ ensure_trivy_arch }}.tar.gz"
+    dest: "{{ ensure_trivy_install_dir }}"
+    remote_src: yes
+  become: true
diff --git a/roles/fetch-sbom/README.rst b/roles/fetch-sbom/README.rst
@@ -0,0 +1,11 @@
+Fetch SBOM
+
+**Role Variables**
+
+.. zuul:rolevar:: zuul_work_dir
+
+   Zuul working directory
+
+.. zuul:rolevar:: zuul_output_dir
+
+   Output directory
diff --git a/roles/fetch-sbom/defaults/main.yaml b/roles/fetch-sbom/defaults/main.yaml
@@ -0,0 +1,4 @@
+---
+zuul_work_dir: "{{ zuul.project.src_dir }}"
+zuul_output_dir: "{{ ansible_user_dir }}/zuul-output"
+fetch_sbom_glob: "*.sbom.xml"
diff --git a/roles/fetch-sbom/tasks/main.yaml b/roles/fetch-sbom/tasks/main.yaml
@@ -0,0 +1,22 @@
+- name: Fetch sbom file to job artifacts
+  ansible.builtin.copy:
+    dest: "{{ zuul_output_dir }}/logs/"
+    src: "{{ zj_item.bom_path }}"
+    mode: 0644
+    remote_src: true
+  loop: "{{ zuul_bom_results | default([]) }}"
+  loop_control:
+    loop_var: zj_item
+
+- name: Return artifact to Zuul
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: "SBOM: {{ zj_item.project_name }}:{{ zj_item.project_version }}"
+            url: "{{ zj_item.bom_path | basename }}"
+            metadata:
+              type: sbom
+  loop: "{{ zuul_bom_results | default([]) }}"
+  loop_control:
+    loop_var: zj_item
diff --git a/roles/generate-sbom-syft/README.rst b/roles/generate-sbom-syft/README.rst
@@ -0,0 +1,16 @@
+Generate SBOM with Syft
+
+**Role Variables**
+
+.. zuul:rolevar:: generate_sbom_syft_source
+
+   Source to generate SBOM for
+
+.. zuul:rolevar:: generate_sbom_syft_format
+   :default: cyclonedx-json
+
+   Format of the SBOM report
+
+.. zuul:rolevar:: generate_sbom_syft_path
+
+   Path where to save the report
diff --git a/roles/generate-sbom-syft/defaults/main.yaml b/roles/generate-sbom-syft/defaults/main.yaml
@@ -0,0 +1,4 @@
+generate_sbom_syft_executable: "/usr/local/bin/syft"
+generate_sbom_syft_command: "scan"
+generate_sbom_syft_format: "cyclonedx-json@1.5"
+generate_sbom_syft_path: "{{ ansible_user }}/zuul-output/sboms/syft-sbom.json"
diff --git a/roles/generate-sbom-syft/tasks/main.yaml b/roles/generate-sbom-syft/tasks/main.yaml
@@ -0,0 +1,2 @@
+- name: Generate SBOM for artifact with syft
+  ansible.builtin.command: "{{ generate_sbom_syft_executable }} {{ generate_sbom_syft_command }} {{ generate_sbom_syft_source }} -o {{ generate_sbom_syft_format }}={{ generate_sbom_syft_path }}"
diff --git a/test.json b/test.json
diff --git a/zuul.d/scan-jobs.yaml b/zuul.d/scan-jobs.yaml
@@ -0,0 +1,15 @@
+---
+- job:
+    name: scs-scan-container-images
+    description: |
+      Scan container image
+    nodeset: pod-fedora-40
+    pre-run: playbooks/sbom/pre.yaml
+    run: playbooks/sbom/run.yaml
+    post-run: playbooks/sbom/post.yaml
+    vars:
+      images:
+        - registry: registry.scs.community
+          name: status-page/status-page-web
+          tag: v1.0.0
+          hash: sha256:bbc899f6a1845e0e11109933bd31968a17593ccb8f6162bb2191e8fbb7a5ae30 
diff --git a/zuul.d/zuul.yaml b/zuul.d/zuul.yaml
@@ -7,6 +7,7 @@
         - scs-tox-linters
         - zuul-config-build-image-f39
         - zuul-config-build-image-f40
+        - scs-scan-container-images
     gate:
       jobs:
         - scs-tox-linters

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+---`
	`2`	`+ensure_syft_version: "1.11.1"`