feat(ISV-5783): use new SBOM generation workflow (#950)

The SBOM generation logic is now dependent on fewer tasks.

Signed-off-by: Martin Jediny <jedinym@proton.me>

Author: jedinym

pipelines/managed/rh-advisories/README.md

@@ -28,6 +28,11 @@ the rh-push-to-registry-redhat-io pipeline.
 | trustedArtifactsDebug           | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable                                             | Yes      | ""                                                        |
 | dataDir                         | The location where data will be stored                                                                                             | Yes      | /var/workdir/release                                      |
 
+## Changes in 2.0.8
+* The `update-component-sbom` and `create-product-sbom` tasks are refactored to
+  use the new SBOM generation workflow. They no longer depend on
+  `push-rpm-data-to-pyxis` and `populate-release-notes`.
+
 ## Changes in 2.0.7
 * Target for SBOM upload has been changed from Atlas v1 to Atlas v2.
 

pipelines/managed/rh-advisories/rh-advisories.yaml

@@ -4,7 +4,7 @@ kind: Pipeline
 metadata:
   name: rh-advisories
   labels:
-    app.kubernetes.io/version: "2.0.7"
+    app.kubernetes.io/version: "2.0.8"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -707,14 +707,12 @@ spec:
         - name: data
           workspace: release-workspace
       params:
-        - name: sbomJsonPath
-          value: "$(tasks.populate-release-notes.results.sbomDataPath)"
-        - name: downloadedSbomPath
-          value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
+        - name: snapshotSpec
+          value: "$(tasks.collect-data.results.snapshotSpec)"
         - name: ociStorage
           value: $(params.ociStorage)
         - name: sourceDataArtifact
-          value: "$(tasks.push-rpm-data-to-pyxis.results.sourceDataArtifact)"
+          value: "$(tasks.apply-mapping.results.sourceDataArtifact)"
         - name: subdirectory
           value: $(tasks.collect-data.results.subdirectory)
         - name: dataDir
@@ -727,17 +725,17 @@ spec:
           value: "$(params.taskGitRevision)"
       runAfter:
         - collect-data
+        - apply-mapping
         - collect-atlas-params
-        - push-rpm-data-to-pyxis
-        - populate-release-notes
+        - push-snapshot
     - name: upload-component-sbom
       when:
         - input: "$(tasks.collect-atlas-params.results.secretName)"
           operator: notin
           values: [""]
       params:
         - name: sbomDir
-          value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
+          value: "$(tasks.update-component-sbom.results.sbomPath)"
         - name: atlasSecretName
           value: "$(tasks.collect-atlas-params.results.secretName)"
         - name: ssoTokenUrl
@@ -747,7 +745,7 @@ spec:
         - name: ociStorage
           value: $(params.ociStorage)
         - name: sourceDataArtifact
-          value: "$(tasks.apply-mapping.results.sourceDataArtifact)"
+          value: "$(tasks.update-component-sbom.results.sourceDataArtifact)"
         - name: subdirectory
           value: $(tasks.collect-data.results.subdirectory)
         - name: dataDir
@@ -889,12 +887,14 @@ spec:
           operator: notin
           values: [""]
       params:
-        - name: dataJsonPath
+        - name: dataPath
           value: "$(tasks.collect-data.results.data)"
+        - name: snapshotSpec
+          value: "$(tasks.collect-data.results.snapshotSpec)"
         - name: ociStorage
           value: $(params.ociStorage)
         - name: sourceDataArtifact
-          value: "$(tasks.populate-release-notes.results.sourceDataArtifact)"
+          value: "$(tasks.apply-mapping.results.sourceDataArtifact)"
         - name: dataDir
           value: $(params.dataDir)
         - name: trustedArtifactsDebug
@@ -916,16 +916,18 @@ spec:
         - name: data
           workspace: release-workspace
       runAfter:
+        - apply-mapping
+        - collect-data
         - collect-atlas-params
-        - populate-release-notes
+        - push-snapshot
     - name: upload-product-sbom
       when:
         - input: "$(tasks.collect-atlas-params.results.secretName)"
           operator: notin
           values: [""]
       params:
         - name: sbomDir
-          value: "$(tasks.create-product-sbom.results.productSBOMPath)"
+          value: "$(tasks.create-product-sbom.results.sbomPath)"
         - name: atlasSecretName
           value: "$(tasks.collect-atlas-params.results.secretName)"
         - name: ssoTokenUrl

tasks/managed/create-product-sbom/README.md

@@ -5,17 +5,26 @@ releaseNotes content.
 
 ## Parameters
 
-| Name                    | Description                                                                                                                | Optional   | Default value           |
-|-------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|-------------------------|
-| dataJsonPath            | Path to the JSON string of the merged data containing the release notes                                                    | No         | -                       |
-| ociStorage              | The OCI repository where the Trusted Artifacts are stored                                                                  | Yes        | empty                   |
-| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire | Yes        | 1d                      |
-| trustedArtifactsDebug   | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable                                     | Yes        | ""                      |
-| orasOptions             | oras options to pass to Trusted Artifacts calls                                                                            | Yes        | ""                      | 
-| sourceDataArtifact      | Location of trusted artifacts to be used to populate data directory                                                        | Yes        | ""                      |
-| dataDir                 | The location where data will be stored                                                                                     | Yes        | $(workspaces.data.path) |
-| taskGitUrl              | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored                      | No         | ""                      | 
-| taskGitRevision         | The revision in the taskGitUrl repo to be used                                                                             | No         | ""                      |
+| Name                    | Description                                                                                                                | Optional | Default value           |
+|-------------------------|----------------------------------------------------------------------------------------------------------------------------|----------|-------------------------|
+| sbomPath                | Path in the data directory to store the created SBOM to                                                                    | Yes      | sboms                   |
+| dataPath                | Path to the data file from collect-data                                                                                    | No       |                         |
+| snapshotSpec            | Path to the mapped snapshot spec                                                                                           | No       | -                       |
+| ociStorage              | The OCI repository where the Trusted Artifacts are stored                                                                  | Yes      | empty                   |
+| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire | Yes      | 1d                      |
+| trustedArtifactsDebug   | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable                                     | Yes      | ""                      |
+| orasOptions             | oras options to pass to Trusted Artifacts calls                                                                            | Yes      | ""                      |
+| sourceDataArtifact      | Location of trusted artifacts to be used to populate data directory                                                        | Yes      | ""                      |
+| dataDir                 | The location where data will be stored                                                                                     | Yes      | $(workspaces.data.path) |
+| taskGitUrl              | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored                      | No       | ""                      |
+| taskGitRevision         | The revision in the taskGitUrl repo to be used                                                                             | No       | ""                      |
+
+## Changes in 2.0.0
+* Task was refactored to use the new SBOM workflow. SBOMs are now generated from the mapped snapshot spec.
+  * Renamed `productSBOMPath` result to `sbomPath` and param `dataJsonPath` to `dataPath`.
+  * Added optional `sbomPath` param specifying the path to store the created SBOM to.
+  * Added `snapshotSpec` param specifying the path to the mapped snapshot spec.
+  * Fixed executable to run script as module.
 
 ## Changes in 1.0.0
 * This task now supports Trusted artifacts

tasks/managed/create-product-sbom/create-product-sbom.yaml

@@ -4,17 +4,24 @@ kind: Task
 metadata:
   name: create-product-sbom
   labels:
-    app.kubernetes.io/version: "1.0.0"
+    app.kubernetes.io/version: "2.0.0"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
 spec:
   description: >-
-    Create product-level SBOM from release notes.
+    Create product-level SBOM from mapped snapshot spec and release notes.
   params:
-    - name: dataJsonPath
+    - name: dataPath
       description: Relative path to the JSON data file in the workspace.
       type: string
+    - name: snapshotSpec
+      type: string
+      description: Path to the mapped snapshot spec.
+    - name: sbomPath
+      description: Path to store the updated SBOMs to.
+      type: string
+      default: "sboms"
     - name: ociStorage
       description: The OCI repository where the Trusted Artifacts are stored.
       type: string
@@ -50,7 +57,7 @@ spec:
     - name: data
       description: Workspace to save the product-level SBOM to.
   results:
-    - name: productSBOMPath
+    - name: sbomPath
       description: >-
         Relative path to the directory containing the created product-level SBOM
         in the data workspace.
@@ -103,36 +110,20 @@ spec:
         - name: sourceDataArtifact
           value: $(params.sourceDataArtifact)
     - name: create-sbom
-      image: quay.io/konflux-ci/release-service-utils:3a1280476a414c7a1538b2db846bcd1fb59176fd
+      image: quay.io/konflux-ci/release-service-utils:991c2db1fe04f2fddd940605b5383a17692eb4a5
       script: |
         #!/usr/bin/env bash
         set -eux
 
-        # the SBOM is first created in a temporary file, because the name of the
-        # final SBOM depends on its contents; namely the product name and
-        # version
-        tmp_sbom="$(mktemp)"
-        create_product_sbom --data-path "$(params.dataDir)/$(params.dataJsonPath)" \
-          --output-path "$tmp_sbom"
-
-        product_name="$(jq -r '.packages[0].name' "$tmp_sbom")"
-        product_version="$(jq -r '.packages[0].versionInfo' "$tmp_sbom")"
-
-        # replace whitespace with dashes
-        normalized_name="$(echo -n "${product_name}" | tr '[:space:]' '-')"
-
-        sbom_dir="product-sboms"
-        # the combination of name + version is later used as an ID in Atlas
-        sbom_path="${sbom_dir}/${normalized_name}-${product_version}.json"
-
-        # takes into account the subdirectory of the data.json if any
-        subdir_sbom_path="$(dirname "$(params.dataJsonPath)")/${sbom_path}"
+        sbom_path="$(params.dataDir)/$(params.sbomPath)"
+        mkdir -p "$sbom_path"
 
-        output_path=$(params.dataDir)/${subdir_sbom_path}
-        mkdir -p "$(dirname "$output_path")"
-        mv "$tmp_sbom" "$output_path"
+        create_product_sbom \
+          --data-path "$(params.dataDir)/$(params.dataPath)" \
+          --snapshot-path "$(params.dataDir)/$(params.snapshotSpec)" \
+          --output-path "$sbom_path"
 
-        echo -n "$(dirname "$subdir_sbom_path")" > "$(results.productSBOMPath.path)"
+        echo -n "$(params.sbomPath)" > "$(results.sbomPath.path)"
     - name: create-trusted-artifact
       ref:
         resolver: "git"

tasks/managed/create-product-sbom/tests/mocks.sh

@@ -0,0 +1,14 @@
+function create_product_sbom() {
+  echo Mock create_product_sbom called with: "$*"
+  echo "$*" >> "$(params.dataDir)/mock_create.txt"
+
+  if [[ "$1" != "--data-path" ]] ||
+     [[ "$2" != "$(params.dataDir)/data.json" ]] ||
+     [[ "$3" != "--snapshot-path" ]] ||
+     [[ "$4" != "$(params.dataDir)/snapshot_spec.json" ]] ||
+     [[ "$5" != "--output-path" ]] ||
+     [[ "$6" != "$(params.dataDir)/sboms" ]]; then
+    echo "Error: Unexpected call"
+    exit 1
+  fi
+}

tasks/managed/create-product-sbom/tests/pre-apply-task-hook.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+TASK_PATH=$1
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+yq -i '.spec.steps[2].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[2].script' "$TASK_PATH"

tasks/managed/create-product-sbom/tests/test-create-product-sbom-basic.yaml

@@ -54,34 +54,6 @@ spec:
             - name: "DEBUG"
               value: "$(params.trustedArtifactsDebug)"
         steps:
-          - name: setup
-            image: quay.io/konflux-ci/release-service-utils:3a1280476a414c7a1538b2db846bcd1fb59176fd
-            script: |
-              #!/usr/bin/env sh
-              set -eux
-
-              mkdir -p "$(params.dataDir)/$(context.pipelineRun.uid)"
-              cat > "$(params.dataDir)/$(context.pipelineRun.uid)"/data.json << EOF
-              {
-                "releaseNotes": {
-                  "product_name": "Red Hat Openstack Product",
-                  "product_version": "123",
-                  "cpe": "cpe:/a:example:openstack:el8",
-                  "content": {
-                    "images": [
-                      {
-                        "component": "test-component-1",
-                        "purl": "test-component-1-purl-1"
-                      },
-                      {
-                        "component": "test-component-2",
-                        "purl": "test-component-2-purl-1"
-                      }
-                    ]
-                  }
-                }
-              }
-              EOF
           - name: skip-trusted-artifact-operations
             ref:
               name: skip-trusted-artifact-operations
@@ -112,8 +84,12 @@ spec:
       taskRef:
         name: create-product-sbom
       params:
-        - name: dataJsonPath
-          value: "$(context.pipelineRun.uid)/data.json"
+        - name: dataPath
+          value: "data.json"
+        - name: snapshotSpec
+          value: "snapshot_spec.json"
+        - name: sbomPath
+          value: "sboms"
         - name: ociStorage
           value: $(params.ociStorage)
         - name: orasOptions
@@ -139,7 +115,7 @@ spec:
           workspace: tests-workspace
       params:
         - name: sbomDir
-          value: $(tasks.run-task.results.productSBOMPath)
+          value: $(tasks.run-task.results.sbomPath)
         - name: sourceDataArtifact
           value: "$(tasks.run-task.results.sourceDataArtifact)=$(params.dataDir)"
         - name: dataDir
@@ -186,43 +162,16 @@ spec:
               - name: sourceDataArtifact
                 value: $(params.sourceDataArtifact)
           - name: check-result
-            image: quay.io/konflux-ci/release-service-utils:3a1280476a414c7a1538b2db846bcd1fb59176fd
+            image: quay.io/konflux-ci/release-service-utils:991c2db1fe04f2fddd940605b5383a17692eb4a5
             script: |
               #!/usr/bin/env bash
               set -eux
 
-              cp "$(params.dataDir)/$(params.sbomDir)/Red-Hat-Openstack-Product-123.json" sbom.json
-
-              test "$(jq -r '.name' sbom.json)" == "Red Hat Openstack Product 123"
-
-              # Check product SPDX package and relationship
-              test "$(jq -r '.packages[0].SPDXID' sbom.json)" == "SPDXRef-product"
-              test "$(jq -r '.packages[0].name' sbom.json)" == "Red Hat Openstack Product"
-              test "$(jq -r '.packages[0].versionInfo' sbom.json)" == "123"
-              test "$(jq -r '.packages[0].externalRefs[0].referenceLocator' sbom.json)" == \
-                "cpe:/a:example:openstack:el8"
-
-              test "$(jq -r '.relationships[0].relationshipType' sbom.json)" == "DESCRIBES"
-              test "$(jq -r '.relationships[0].relatedSpdxElement' sbom.json)" == "SPDXRef-product"
-
-              # Check component SPDX packages and relationships
-              # Component 1
-              test "$(jq -r '.packages[1].name' sbom.json)" == "test-component-1"
-              test "$(jq -r '.packages[1].externalRefs[0].referenceLocator' sbom.json)" == \
-                "test-component-1-purl-1"
-
-              test "$(jq -r '.relationships[1].relationshipType' sbom.json)" == "PACKAGE_OF"
-              test "$(jq -r '.relationships[1].spdxElementId' sbom.json)" == "SPDXRef-component-0"
-
-              # Component 2
-              test "$(jq -r '.packages[2].name' sbom.json)" == "test-component-2"
-              test "$(jq -r '.packages[2].externalRefs[0].referenceLocator' sbom.json)" == \
-                "test-component-2-purl-1"
-
-              test "$(jq -r '.relationships[2].relationshipType' sbom.json)" == "PACKAGE_OF"
-              test "$(jq -r '.relationships[2].spdxElementId' sbom.json)" == "SPDXRef-component-1"
+              if [ "$(wc -l < "$(params.dataDir)/mock_create.txt")" != 1 ]; then
+                echo Error: create_product_sbom was expected to be called 1 time. Actual calls:
+                cat "$(params.dataDir)/mock_update.txt"
+                exit 1
+              fi
 
-              test "$(jq -r '.packages | length' sbom.json)" == 3
-              test "$(jq -r '.relationships | length' sbom.json)" == 3
       runAfter:
         - run-task