feat(ISV-5783): use new workflow in SBOM update

The update-component-sbom uses new SBOM workflow, where SBOMs are
generated from the mapped snapshot spec.

Signed-off-by: Martin Jediny <jedinym@proton.me>

Author: jedinym

tasks/managed/update-component-sbom/README.md

@@ -18,6 +18,13 @@ Tekton task to update component-level SBOMs with purls containing release-time i
 | taskGitUrl              | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored                      | No        | ""                      |
 | taskGitRevision         | The revision in the taskGitUrl repo to be used                                                                             | No        | ""                      |
 
+## Changes in 2.0.0
+* Refactored task to use the new SBOM generation workflow. SBOMs are now
+  generated from mapped snapshot specs.
+  * Removed `sbomJsonPath`, `downloadedSbomPath` params. This task is no longer
+   dependent on sbom data from `populate-release-notes-images` and build-time
+   SBOMs from `push-rpm-data-to-pyxis`.
+
 ## Changes in 1.0.0
 * This task now supports Trusted artifacts
 

tasks/managed/update-component-sbom/tests/mocks.sh

@@ -5,9 +5,11 @@ function update_component_sbom() {
   echo Mock update_component_sbom called with: "$*"
   echo "$*" >> "$(params.dataDir)/mock_update.txt"
 
-  if [[ "$*" != "--data-path $(params.dataDir)/$(params.subdirectory)/data.json --input-path $(params.dataDir)/$(params.subdirectory)/downloaded-sboms --output-path $(params.dataDir)/$(params.subdirectory)/downloaded-sboms" ]]
-  then
-    echo Error: Unexpected call
+  if [[ "$1" != "--snapshot-path" ]] ||
+     [[ "$2" != "$(params.dataDir)/$(params.subdirectory)/snapshot_spec.json" ]] ||
+     [[ "$3" != "--output-path" ]] ||
+     [[ "$4" != "$(params.dataDir)/$(params.subdirectory)/sboms" ]]; then
+    echo "Error: Unexpected call"
     exit 1
   fi
 }

tasks/managed/update-component-sbom/tests/test-update-component-sbom-basic.yaml

@@ -60,69 +60,6 @@ spec:
             - name: "DEBUG"
               value: "$(params.trustedArtifactsDebug)"
         steps:
-          - name: setup-values
-            image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
-            script: |
-              #!/usr/bin/env sh
-              set -eux
-
-              mkdir -p "$(params.dataDir)/$(context.pipelineRun.uid)"
-              cat > "$(params.dataDir)/$(context.pipelineRun.uid)/test_data.json" << EOF
-              {
-                "mapping": {
-                  "components": [
-                    {
-                      "name": "comp1",
-                      "repository": "repo1"
-                    },
-                    {
-                      "name": "comp2",
-                      "repository": "repo2"
-                    },
-                    {
-                      "name": "comp3",
-                      "repository": "repo3a"
-                    },
-                    {
-                      "name": "comp4",
-                      "customfield": "custom"
-                    }
-                  ]
-                }
-              }
-              EOF
-
-              cat > "$(params.dataDir)/$(context.pipelineRun.uid)/test_snapshot_spec.json" << EOF
-              {
-                "application": "myapp",
-                "components": [
-                  {
-                    "name": "comp1",
-                    "containerImage": "imageurl1@sha256:123456",
-                    "source": {
-                      "git": {
-                        "revision": "myrev",
-                        "url": "myurl"
-                      }
-                    }
-                  },
-                  {
-                    "name": "comp3",
-                    "containerImage": "imageurl3@sha256:123456",
-                    "repository": "repo3"
-                  },
-                  {
-                    "name": "comp4",
-                    "containerImage": "imageurl4@sha256:123456",
-                    "repository": "repo4"
-                  },
-                  {
-                    "name": "comp5",
-                    "containerImage": "imageurl5@sha256:123456"
-                  }
-                ]
-              }
-              EOF
           - name: skip-trusted-artifact-operations
             ref:
               name: skip-trusted-artifact-operations
@@ -156,10 +93,10 @@ spec:
       taskRef:
         name: update-component-sbom
       params:
-        - name: sbomJsonPath
-          value: "$(context.pipelineRun.uid)/data.json"
-        - name: downloadedSbomPath
-          value: "$(context.pipelineRun.uid)/downloaded-sboms"
+        - name: snapshotSpec
+          value: "$(context.pipelineRun.uid)/snapshot_spec.json"
+        - name: sbomPath
+          value: "$(context.pipelineRun.uid)/sboms"
         - name: ociStorage
           value: $(params.ociStorage)
         - name: orasOptions
@@ -225,7 +162,7 @@ spec:
               - name: sourceDataArtifact
                 value: $(params.sourceDataArtifact)
           - name: check-result
-            image: quay.io/konflux-ci/release-service-utils:4a67d0c959e63cbb4bc0d37db1ce962091d6072a
+            image: quay.io/konflux-ci/release-service-utils:20e010a0dde28e31826ce91914d5852d73437fc2
             script: |
               #!/usr/bin/env bash
               set -eux

tasks/managed/update-component-sbom/update-component-sbom.yaml

@@ -4,21 +4,14 @@ kind: Task
 metadata:
   name: update-component-sbom
   labels:
-    app.kubernetes.io/version: "1.0.0"
+    app.kubernetes.io/version: "2.0.0"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
 spec:
   description: >-
     Update component-level SBOM with purls with release-time info.
   params:
-    - name: sbomJsonPath
-      description: Relative path to the SBOM data file in the workspace.
-      type: string
-    - name: downloadedSbomPath
-      description: |
-        Path to the directory holding previously downloaded SBOMs to be updated.
-      type: string
     - name: ociStorage
       description: The OCI repository where the Trusted Artifacts are stored.
       type: string
@@ -49,6 +42,13 @@ spec:
       description: The location where data will be stored
       type: string
       default: $(workspaces.data.path)
+    - name: snapshotSpec
+      type: string
+      description: Path to the mapped snapshot spec.
+    - name: sbomPath
+      type: string
+      description: Path to store the updated SBOMs to.
+      default: "sboms"
     - name: taskGitUrl
       type: string
       description: The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored
@@ -62,6 +62,9 @@ spec:
     - description: Produced trusted data artifact
       name: sourceDataArtifact
       type: string
+    - name: sbomPath
+      description: Path to the directory containing updated SBOMs.
+      type: string
   volumes:
     - name: workdir
       emptyDir: {}
@@ -107,19 +110,20 @@ spec:
           value: $(params.dataDir)
         - name: sourceDataArtifact
           value: $(params.sourceDataArtifact)
-    - name: update-component-sbom-purls
-      image: quay.io/konflux-ci/release-service-utils:4a67d0c959e63cbb4bc0d37db1ce962091d6072a
+    - name: update-sboms
+      image: quay.io/konflux-ci/release-service-utils:20e010a0dde28e31826ce91914d5852d73437fc2
       script: |
         #!/usr/bin/env bash
         set -eux
 
-        INPUT_PATH="$(params.dataDir)/$(params.downloadedSbomPath)"
+        sbom_path="$(params.dataDir)/$(params.sbomPath)"
+        mkdir -p "$sbom_path"
 
-        #update the SBOM files in place
         update_component_sbom \
-          --data-path "$(params.dataDir)/$(params.sbomJsonPath)" \
-          --input-path "$INPUT_PATH" \
-          --output-path "$INPUT_PATH"
+          --snapshot-path "$(params.dataDir)/$(params.snapshotSpec)" \
+          --output-path "$sbom_path"
+
+        echo -n "$sbom_path" > "$(results.sbomPath.path)"
     - name: create-trusted-artifact
       ref:
         resolver: "git"