Add function to send Sbom

Author: cdupuis

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/anchore/stereoscope v0.0.0-20221006201143-d24c9d626b33
 	github.com/anchore/syft v0.62.1
 	github.com/aquasecurity/trivy v0.30.4
-	github.com/atomist-skills/go-skill v0.0.6-0.20221003172518-c3d268e1f3f1
+	github.com/atomist-skills/go-skill v0.0.6-0.20221221214636-a7de163fd901
 	github.com/briandowns/spinner v1.12.0
 	github.com/docker/cli v20.10.21+incompatible
 	github.com/docker/docker v20.10.17+incompatible

go.sum

@@ -209,6 +209,8 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
 github.com/atomist-skills/go-skill v0.0.6-0.20221003172518-c3d268e1f3f1 h1:EzSOh9LLtL/3IzbPUFSp/6OF4DrgiCPxCC3x3jjD9Bs=
 github.com/atomist-skills/go-skill v0.0.6-0.20221003172518-c3d268e1f3f1/go.mod h1:DRmwrZL5kG68Mn8VDw/Xr7rDhyl+laD7NFHIrQr54yo=
+github.com/atomist-skills/go-skill v0.0.6-0.20221221214636-a7de163fd901 h1:0fqUAo4MmWXnWIDCG7JBe903M3WJ+tqQetPIkVfcXKo=
+github.com/atomist-skills/go-skill v0.0.6-0.20221221214636-a7de163fd901/go.mod h1:DRmwrZL5kG68Mn8VDw/Xr7rDhyl+laD7NFHIrQr54yo=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.44.46 h1:BsKENvu24eXg7CWQ2wJAjKbDFkGP+hBtxKJIR3UdcB8=
 github.com/aws/aws-sdk-go v1.44.46/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=

sbom/lsp.go

@@ -0,0 +1,43 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sbom
+
+import (
+	"github.com/docker/cli/cli/command"
+	cliflags "github.com/docker/cli/cli/flags"
+	"github.com/pkg/errors"
+)
+
+func Send(image string, tx chan<- string) error {
+	cmd, err := command.NewDockerCli()
+	if err != nil {
+		return errors.Wrap(err, "failed to create docker cli")
+	}
+	if err := cmd.Initialize(cliflags.NewClientOptions()); err != nil {
+		return errors.Wrap(err, "failed to initialize docker cli")
+	}
+	sbom, err := IndexImage(image, cmd)
+	if err != nil {
+		return errors.Wrap(err, "failed to create sbom")
+	}
+	err = sendSbom(sbom, tx)
+	if err != nil {
+		return errors.Wrap(err, "failed to send sbom")
+	}
+	close(tx)
+	return nil
+}

sbom/lsp_test.go

@@ -0,0 +1,37 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sbom
+
+import (
+	"testing"
+)
+
+func TestSend(t *testing.T) {
+	tx := make(chan string, 10)
+	transactions := make([]string, 0)
+
+	err := Send("alpine@sha256:c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c", tx)
+	if err != nil {
+		t.Fail()
+	}
+	for elem := range tx {
+		transactions = append(transactions, elem)
+	}
+	if len(transactions) != 3 {
+		t.Errorf("expected 3 transactions, instead got %d", len(transactions))
+	}
+}

sbom/upload.go

@@ -33,25 +33,67 @@ import (
 	"olympos.io/encoding/edn"
 )
 
+type TransactionMaker = func() skill.Transaction
+
 // UploadSbom transact an image and its data into the data plane
 func UploadSbom(sb *types.Sbom, workspace string, apikey string) error {
-	host, name, err := parseReference(sb)
+	correlationId := uuid.NewString()
+	context := skill.RequestContext{
+		Event: skill.EventIncoming{
+			ExecutionId: correlationId,
+			WorkspaceId: workspace,
+			Token:       apikey,
+		},
+	}
+
+	newTransaction := context.NewTransaction
+	image, err := transactSbom(sb, newTransaction)
 	if err != nil {
-		return errors.Wrapf(err, "failed to obtain host and repository")
+		return errors.Wrap(err, "failed to transact image")
 	}
-	config := (*sb).Source.Image.Config
-	manifest := (*sb).Source.Image.Manifest
 
-	now := time.Now()
+	imageName := ""
+	if image.Repository.Host != "hub.docker.com" {
+		imageName = image.Repository.Host + "/"
+	}
+	imageName += image.Repository.Name
+
+	skill.Log.Infof("Inspect image at https://dso.docker.com/%s/overview/images/%s/digests/%s", workspace, imageName, image.Digest)
+
+	return nil
+}
+
+func sendSbom(sb *types.Sbom, entities chan<- string) error {
 	correlationId := uuid.NewString()
 	context := skill.RequestContext{
 		Event: skill.EventIncoming{
 			ExecutionId: correlationId,
-			WorkspaceId: workspace,
-			Token:       apikey,
 		},
 	}
-	transaction := context.NewTransaction().Ordered()
+
+	newTransaction := func() skill.Transaction {
+		return context.NewTransactionWithTransactor(func(entitiesString string) {
+			entities <- entitiesString
+		})
+	}
+	_, err := transactSbom(sb, newTransaction)
+	if err != nil {
+		return errors.Wrap(err, "failed to transact image")
+	}
+
+	return nil
+}
+
+func transactSbom(sb *types.Sbom, newTransaction func() skill.Transaction) (*ImageEntity, error) {
+	now := time.Now()
+	host, name, err := parseReference(sb)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to obtain host and repository")
+	}
+	config := (*sb).Source.Image.Config
+	manifest := (*sb).Source.Image.Manifest
+
+	transaction := newTransaction().Ordered()
 	ports := parsePorts(config)
 	env, envVars := parseEnvVars(config)
 	sha := parseSha(config)
@@ -111,7 +153,7 @@ func UploadSbom(sb *types.Sbom, workspace string, apikey string) error {
 		image.Sha = sha
 	}
 
-	if len(*sb.Source.Image.Tags) > 0 {
+	if sb.Source.Image.Tags != nil && len(*sb.Source.Image.Tags) > 0 {
 		image.Tags = &skill.ManyRef{Add: *sb.Source.Image.Tags}
 
 		for _, t := range *sb.Source.Image.Tags {
@@ -136,13 +178,13 @@ func UploadSbom(sb *types.Sbom, workspace string, apikey string) error {
 	// transact the image with all its metadata (repo, tags, layers, blobs, ports, env etc)
 	err = transaction.AddEntities(image, platform).Transact()
 	if err != nil {
-		return errors.Wrapf(err, "failed to transact image")
+		return nil, errors.Wrapf(err, "failed to transact image")
 	}
 
 	// transact all packages in chunks
 	packageChunks := internal.ChunkSlice(sb.Artifacts, 20)
 	for _, packages := range packageChunks {
-		transaction := context.NewTransaction().Ordered()
+		transaction := newTransaction().Ordered()
 
 		image = ImageEntity{
 			Digest:    sb.Source.Image.Digest,
@@ -186,28 +228,19 @@ func UploadSbom(sb *types.Sbom, workspace string, apikey string) error {
 		image.Dependencies = &skill.ManyRef{Add: transaction.EntityRefs("package/dependency")}
 		err := transaction.AddEntities(image).Transact()
 		if err != nil {
-			return errors.Wrapf(err, "failed to transact packages")
+			return nil, errors.Wrapf(err, "failed to transact packages")
 		}
 	}
 
 	image = ImageEntity{
 		Digest:    sb.Source.Image.Digest,
 		SbomState: Indexed,
 	}
-	err = context.NewTransaction().Ordered().AddEntities(image).Transact()
+	err = newTransaction().Ordered().AddEntities(image).Transact()
 	if err != nil {
-		return errors.Wrapf(err, "failed to transact packages")
+		return nil, errors.Wrapf(err, "failed to transact packages")
 	}
-
-	imageName := ""
-	if host != "hub.docker.com" {
-		imageName = host + "/"
-	}
-	imageName += name
-
-	skill.Log.Infof("Inspect image at https://dso.docker.com/%s/overview/images/%s/digests/%s", workspace, imageName, image.Digest)
-
-	return nil
+	return &image, nil
 }
 
 func digestChainIds(manifest *v1.Manifest) []digest.Digest {