Skip to content

Commit e49263e

Browse files
LaurentGoderreLaurentGoderre
committed
wip
1 parent 360b27c commit e49263e

File tree

2 files changed

+109
-8
lines changed

2 files changed

+109
-8
lines changed

.test/meta-commands/out.sh

+60-6
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,8 @@ jq '
5454
mv temp/index.json.new temp/index.json
5555
# </build>
5656
# <sbom_scan>
57-
docker buildx build --progress=plain \
57+
build_output=$(
58+
docker buildx build --progress=rawjson \
5859
--provenance=false \
5960
--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
6061
--tag 'docker:24.0.7-cli' \
@@ -69,7 +70,24 @@ docker buildx build --progress=plain \
6970
--tag 'amd64/docker:24.0.7-cli-alpine3.18' \
7071
--tag 'oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43' \
7172
--output '"type=oci","tar=false","dest=sbom"' \
72-
- <<<'FROM oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43@sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401'
73+
- <<<'FROM oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43@sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401' 2>&1
74+
)
75+
attest_manifest_digest=$(
76+
echo "$build_output" | jq -rs '
77+
.[]
78+
| select(.statuses).statuses[]
79+
| select((.completed != null) and (.id | startswith("exporting attestation manifest"))).id
80+
| sub("exporting attestation manifest "; "")
81+
'
82+
)
83+
sbom_digest=$(
84+
jq -r '
85+
.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document").digest
86+
' "sbom/blobs/${attest_manifest_digest//://}"
87+
)
88+
jq -c --arg digest "sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401" '
89+
.subject[].digest |= ($digest | split(":") | {(.[0]): .[1]})
90+
' "sbom/blobs/${sbom_digest//://}" > sbom.json
7391
# </sbom_scan>
7492
# <push>
7593
crane push temp 'oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43'
@@ -107,7 +125,8 @@ SOURCE_DATE_EPOCH=1700741054 \
107125
'https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/windows/windowsservercore-ltsc2022'
108126
# </build>
109127
# <sbom_scan>
110-
docker buildx build --progress=plain \
128+
build_output=$(
129+
docker buildx build --progress=rawjson \
111130
--provenance=false \
112131
--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
113132
--tag 'docker:24.0.7-windowsservercore-ltsc2022' \
@@ -128,7 +147,24 @@ docker buildx build --progress=plain \
128147
--tag 'winamd64/docker:windowsservercore' \
129148
--tag 'oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e' \
130149
--output '"type=oci","tar=false","dest=sbom"' \
131-
- <<<'FROM oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e@sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce'
150+
- <<<'FROM oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e@sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce' 2>&1
151+
)
152+
attest_manifest_digest=$(
153+
echo "$build_output" | jq -rs '
154+
.[]
155+
| select(.statuses).statuses[]
156+
| select((.completed != null) and (.id | startswith("exporting attestation manifest"))).id
157+
| sub("exporting attestation manifest "; "")
158+
'
159+
)
160+
sbom_digest=$(
161+
jq -r '
162+
.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document").digest
163+
' "sbom/blobs/${attest_manifest_digest//://}"
164+
)
165+
jq -c --arg digest "sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce" '
166+
.subject[].digest |= ($digest | split(":") | {(.[0]): .[1]})
167+
' "sbom/blobs/${sbom_digest//://}" > sbom.json
132168
# </sbom_scan>
133169
# <push>
134170
docker push 'oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e'
@@ -217,7 +253,8 @@ jq -r --argjson sbomManifestDesc "$sbomManifestDesc" '.manifests += [ $sbomManif
217253
mv temp/index.json.new temp/index.json
218254
# </build>
219255
# <sbom_scan>
220-
docker buildx build --progress=plain \
256+
build_output=$(
257+
docker buildx build --progress=rawjson \
221258
--provenance=false \
222259
--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
223260
--tag 'busybox:1.36.1' \
@@ -242,7 +279,24 @@ docker buildx build --progress=plain \
242279
--tag 'amd64/busybox:glibc' \
243280
--tag 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f' \
244281
--output '"type=oci","tar=false","dest=sbom"' \
245-
- <<<'FROM oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f@sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0'
282+
- <<<'FROM oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f@sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0' 2>&1
283+
)
284+
attest_manifest_digest=$(
285+
echo "$build_output" | jq -rs '
286+
.[]
287+
| select(.statuses).statuses[]
288+
| select((.completed != null) and (.id | startswith("exporting attestation manifest"))).id
289+
| sub("exporting attestation manifest "; "")
290+
'
291+
)
292+
sbom_digest=$(
293+
jq -r '
294+
.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document").digest
295+
' "sbom/blobs/${attest_manifest_digest//://}"
296+
)
297+
jq -c --arg digest "sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0" '
298+
.subject[].digest |= ($digest | split(":") | {(.[0]): .[1]})
299+
' "sbom/blobs/${sbom_digest//://}" > sbom.json
246300
# </sbom_scan>
247301
# <push>
248302
crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'

meta.jq

+49-2
Original file line numberDiff line numberDiff line change
@@ -384,9 +384,10 @@ def image_ref:
384384
# output: string "command for generating an SBOM from an OCI layout", may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
385385
def sbom_command:
386386
[
387+
"build_output=$(",
387388
(
388389
[
389-
"docker buildx build --progress=plain",
390+
"\tdocker buildx build --progress=rawjson",
390391
"--provenance=false",
391392
"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\"",
392393
(
@@ -415,10 +416,56 @@ def sbom_command:
415416
]
416417
| join("")
417418
| @sh
418-
),
419+
) + " 2>&1",
419420
empty
420421
] | join(" \\\n\t")
421422
),
423+
")",
424+
# Using the method above assigns the wrong image digest in the SBOM subjects. This replaces it with the correct one
425+
# Get the digest of the attestation manifest provided by BuildKit
426+
"attest_manifest_digest=$(",
427+
(
428+
[
429+
"\techo \"$build_output\" | jq -rs '",
430+
(
431+
[
432+
"\t.[]",
433+
"| select(.statuses).statuses[]",
434+
"| select((.completed != null) and (.id | startswith(\"exporting attestation manifest\"))).id",
435+
"| sub(\"exporting attestation manifest \"; \"\")",
436+
empty
437+
] | join("\n\t\t")
438+
),
439+
"'",
440+
empty
441+
] | join("\n\t")
442+
),
443+
")",
444+
# Find the SBOM digest from the attestation manifest
445+
"sbom_digest=$(",
446+
(
447+
[
448+
"\tjq -r '",
449+
(
450+
[
451+
"\t.layers[] | select(.annotations[\"in-toto.io/predicate-type\"] == \"https://spdx.dev/Document\").digest",
452+
empty
453+
] | join("\n\t\t")
454+
),
455+
"' \"sbom/blobs/${attest_manifest_digest//://}\"",
456+
empty
457+
] | join("\n\t")
458+
),
459+
")",
460+
# Replace the subjects digests
461+
"jq -c --arg digest \"\(image_digest)\" '",
462+
(
463+
[
464+
"\t.subject[].digest |= ($digest | split(\":\") | {(.[0]): .[1]})",
465+
empty
466+
] | join("\n\t")
467+
),
468+
"' \"sbom/blobs/${sbom_digest//://}\" > sbom.json",
422469
empty
423470
] | join("\n")
424471
;

0 commit comments

Comments
 (0)