Skip to content

ROX-27905: Exclude example rpmdb from SBOMs#14065

Merged
msugakov merged 4 commits intomasterfrom
misha/add-syft-konflux-config
Feb 28, 2025
Merged

ROX-27905: Exclude example rpmdb from SBOMs#14065
msugakov merged 4 commits intomasterfrom
misha/add-syft-konflux-config

Conversation

@msugakov
Copy link
Contributor

@msugakov msugakov commented Jan 31, 2025
edited
Loading

Description

Syft picks up any rpmdb it finds, reads them all and presents the merged content in SBOM. It finds a test rpmdb that's in our repo in such a way. This change tells Syft to ignore the file and also teaches our CI to flag if there are more rpmdb files appear in the repo.

See https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1738328986559729
Config https://github.com/anchore/syft/wiki/configuration#list-of-configurable-values

Note for reviewers: I renamed an existing script and did some refactorings to it. After that, GitHub ultimately sees it as a removal and a new file creation. If you'd like to know what has changed, please review this PR by commits.

User-facing documentation

  • CHANGELOG is updated OR update is not needed
  • documentation PR is created and is linked above OR is not needed

Testing and quality

  • the change is production ready: the change is GA or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added regression tests

How I validated my change

Validated output images to make sure fc35 entries aren't there comparing with a builds before this change.

$ cosign download sbom quay.io/rhacs-eng/roxctl:4.8.0-27-g2d087e9bf1-fast-amd64 > pre-sbom.json
$ grep -E '\bfc35\b' pre-sbom.json| wc -l
664
$ wc -l pre-sbom.json 
217568 pre-sbom.json

$ cosign download sbom quay.io/rhacs-eng/roxctl:4.8.0-112-gb5cfc2c18f-fast-amd64 > post-sbom.json
$ grep -E '\bfc35\b' post-sbom.json| wc -l
0
$ wc -l post-sbom.json 
209409 post-sbom.json

# also visually verified the outputs for one specific package
$ grep openssl pre-sbom.json
$ grep openssl post-sbom.json
# el8_6 are still there, but fc35 are gone

@openshift-ci
Copy link

openshift-ci bot commented Jan 31, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Jan 31, 2025
edited
Loading

Images are ready for the commit at b5cfc2c.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.8.x-112-gb5cfc2c18f.

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Jan 31, 2025

Images are ready for the commit at c8c8cef.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.7.x-589-gc8c8cef6ed.

@codecov
Copy link

codecov bot commented Jan 31, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.03%. Comparing base (40e9e9d) to head (b5cfc2c).
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #14065      +/-   ##
==========================================
- Coverage   49.04%   49.03%   -0.01%     
==========================================
  Files        2521     2521              
  Lines      183398   183398              
==========================================
- Hits        89941    89933       -8     
- Misses      86336    86345       +9     
+ Partials     7121     7120       -1
Flag Coverage Δ
go-unit-tests 49.03% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@msugakov msugakov changed the title Try exclude example rpmdb from SBOMs ROX-27905: Try exclude example rpmdb from SBOMs Jan 31, 2025
@msugakov msugakov force-pushed the misha/add-syft-konflux-config branch from 153bd8e to 551a5e5 Compare February 17, 2025 12:21
@msugakov
Copy link
Contributor Author

msugakov commented Feb 17, 2025

/retest central-db-on-push

@msugakov
Copy link
Contributor Author

msugakov commented Feb 17, 2025

/retest roxctl-on-push

@msugakov
Copy link
Contributor Author

msugakov commented Feb 17, 2025

/test operator-on-push

@stackrox stackrox deleted a comment from openshift-ci bot Feb 17, 2025
@stackrox stackrox deleted a comment from openshift-ci bot Feb 17, 2025
@stackrox stackrox deleted a comment from openshift-ci bot Feb 17, 2025
@msugakov
Copy link
Contributor Author

msugakov commented Feb 17, 2025

/test central-db-on-push

@stackrox stackrox deleted a comment from openshift-ci bot Feb 17, 2025
@msugakov msugakov force-pushed the misha/add-syft-konflux-config branch from 551a5e5 to 6be865f Compare February 19, 2025 17:06
@msugakov msugakov changed the title ROX-27905: Try exclude example rpmdb from SBOMs ROX-27905: Exclude example rpmdb from SBOMs Feb 19, 2025
@github-actions github-actions bot added area/ci konflux-build Run Konflux in PR. Push commit to trigger it. labels Feb 19, 2025
@msugakov msugakov force-pushed the misha/add-syft-konflux-config branch from 0891e22 to f755a0a Compare February 19, 2025 17:32
@msugakov msugakov mentioned this pull request Feb 19, 2025
Closed
@msugakov msugakov force-pushed the misha/add-syft-konflux-config branch from f755a0a to ce1e955 Compare February 19, 2025 18:34
@msugakov msugakov added backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 backport-for-4.7-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1739787699448879 labels Feb 26, 2025
@msugakov msugakov force-pushed the misha/add-syft-konflux-config branch from ce1e955 to d5b9a32 Compare February 26, 2025 13:58
@msugakov
Rename check-konflux-pipelines.sh
5b676d5 
because we'll check more than just the pipelines.
@msugakov
Exclude example rpmdb from SBOMs
09240ce 
Note that Syft requires paths to start with `./` otherwise it fails
like this:

```
[0000] ERROR ␛[31munable to get file resolver: invalid exclusion pattern(s): 'compliance/node/index/testdata/usr/share/rpm/rpmdb.sqlite' (must start with one of: './', '*/', or '**/')␛[0m
```
@msugakov
Extend the check script to validate syft exclusions
31e7ba8
@msugakov
Refactor earlier checks for consistency
b5cfc2c
@msugakov msugakov force-pushed the misha/add-syft-konflux-config branch from d5b9a32 to b5cfc2c Compare February 27, 2025 11:44
@msugakov
Copy link
Contributor Author

msugakov commented Feb 27, 2025

/retest main-on-push

@stackrox stackrox deleted a comment from openshift-ci bot Feb 27, 2025
@msugakov msugakov marked this pull request as ready for review February 27, 2025 17:10
@msugakov msugakov requested a review from a team as a code owner February 27, 2025 17:10
@openshift-ci
Copy link

openshift-ci bot commented Feb 27, 2025

@msugakov: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gke-scanner-v4-install-tests b5cfc2c link false /test gke-scanner-v4-install-tests
ci/prow/ocp-4-12-scanner-v4-install-tests b5cfc2c link false /test ocp-4-12-scanner-v4-install-tests
ci/prow/ocp-4-17-scanner-v4-install-tests b5cfc2c link false /test ocp-4-17-scanner-v4-install-tests
ci/prow/ocp-4-17-qa-e2e-tests b5cfc2c link false /test ocp-4-17-qa-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@msugakov msugakov merged commit 906ce49 into master Feb 28, 2025
108 of 120 checks passed
@msugakov msugakov deleted the misha/add-syft-konflux-config branch February 28, 2025 09:37
msugakov added a commit to stackrox/scanner that referenced this pull request Feb 28, 2025
@msugakov
Add script that checks .syft.yaml contents
7704875 
Took the one from StackRox, see
stackrox/stackrox#14065
@msugakov msugakov mentioned this pull request Feb 28, 2025
Merged
msugakov added a commit to stackrox/scanner that referenced this pull request Feb 28, 2025
@msugakov
Add script that checks .syft.yaml contents
234a3ba 
Took the one from StackRox, see
stackrox/stackrox#14065
msugakov added a commit to stackrox/scanner that referenced this pull request Feb 28, 2025
@msugakov
Add script that checks .syft.yaml contents
af1ddcd 
Took the one from StackRox and kept only the .syft.yaml validating
part.

See stackrox/stackrox#14065
@msugakov msugakov mentioned this pull request Feb 28, 2025
Merged
1 task
ajheflin pushed a commit that referenced this pull request Jun 24, 2025
@msugakov @ajheflin
ROX-27905: Exclude example rpmdb from SBOMs (#14065)
afa3d22
msugakov added a commit that referenced this pull request Jun 27, 2025
@msugakov
ROX-27905: Exclude example rpmdb from SBOMs (#14065)
60bf838
ajheflin pushed a commit that referenced this pull request Jun 27, 2025
@msugakov @ajheflin
ROX-27905: Exclude example rpmdb from SBOMs (#14065)
0756352
msugakov added a commit that referenced this pull request Jun 27, 2025
@msugakov
ROX-27905: Exclude example rpmdb from SBOMs (#14065)
3aaf1a6
msugakov added a commit that referenced this pull request Jul 1, 2025
@msugakov
ROX-27905: Exclude example rpmdb from SBOMs (#14065)
92eb219
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommartensen tommartensen tommartensen approved these changes

Assignees

No one assigned

Labels

area/ci backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 backport-for-4.7-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1739787699448879 konflux-build Run Konflux in PR. Push commit to trigger it.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@msugakov @rhacs-bot @tommartensen