[POC] Provisioner for SBOM #13171
[POC] Provisioner for SBOM #13171
Conversation
There was a problem hiding this comment.
Left a bunch of comments on the code, I think we can simplify the download to have it done once only, technically once we've copied the file locally for Packer, we can copy it to the user-specified destination (if specified). That or we can factorise the code for downloading since it's very similar.
I'll let you address those comments and do another pass of review after that.
6153767 to
127d625
Compare
| `destination` option in the provisioner. | ||
|
|
||
| Currently, we support `CycloneDX` and `SPDX` SBOM formats in `JSON`. | ||
|
|
There was a problem hiding this comment.
TBA: Add more details about max number of files allowed to download, and if we are going to add the file name field!
181134a to
3f5f177
Compare
| @@ -662,6 +661,23 @@ func (bucket *Bucket) completeBuild( | |||
| return packerSDKArtifacts, fmt.Errorf("build failed, not uploading artifacts") | |||
| } | |||
|
|
|||
| artifacts, err := bucket.doCompleteBuild(ctx, buildName, packerSDKArtifacts, buildErr) | |||
There was a problem hiding this comment.
You can consider this verbally approved, will make it as approved once we have tested it using the internal SDK instead of the locally generated one. Good work on this Lucas and Dev!
Since this will fail locally currently without the generated SDK. I checked this branch out and ran make test and make ci-lint, both passed.
7b430bc to
3b1f4cc
Compare
3b1f4cc to
2213e5e
Compare
9087800 to
7937e69
Compare
The hcp-sbom provisioner is a provisioner that acts essentially like a download-only file provisioner, which also verifies the file downloaded is a SPDX/CycloneDX JSON-encoded SBOM file, and sets up its upload to HCP Packer later on.
Since packer now supports keeping track of SBOMs produced during a build, we add the code to integrate those changes into the internal/hcp package, so we do upload them on build completion.
When a build cannot be completed without errors, the build state was left as running, unless the build explicitly failed, which meant that HCP Packer would be responsible for changing the status after the heartbeats for the build stopped being sent for two 5m periods. This commit changes this behaviour, by explicitly marking the build as failed if something did not work while trying to complete a build on HCP Packer, even if the local Packer core build succeeded before that.
In the current state, a Packer build that succeeds but fails to push its metadata to HCP for reasons other than a lack of artifact will always succeed from the perspective of a user invoking `packer build`. This can be a bit misleading, as users may expect their artifacts to appear on HCP Packer if their build succeeded on Packer Core, so this commit changes this behaviour, instead reporting HCP errors as a real error if the build failed, so packer returns a non-zero error code if this happens.
Since the protos for uploading an SBOM for a build have been changed to use an enumeration instead of a plain string with the latest revisions to the HCP Packer SBOM support feature, we update how we reference those values for the SBOM format to use that enum instead.
2213e5e to
e2543f9
Compare
There was a problem hiding this comment.
Thank you @lbajolet-hashicorp and @devashish-patel for your work here, I am glad we're getting this out for our users :), it's been a long one and I think we have work to be proud of here
Lucas asked me to in Zoom
Example templates:
JSON:
HCL: