Skip to content

ROX-27905: Exclude example rpmdb from SBOMs #14065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
msugakov merged 4 commits into from
Feb 28, 2025
Merged

ROX-27905: Exclude example rpmdb from SBOMs #14065

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5b676d5
Rename check-konflux-pipelines.sh
msugakov Feb 19, 2025
09240ce
Exclude example rpmdb from SBOMs
msugakov Jan 31, 2025
31e7ba8
Extend the check script to validate syft exclusions
msugakov Feb 19, 2025
b5cfc2c
Refactor earlier checks for consistency
msugakov Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/style.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ jobs:
- name: Check Policies
run: scripts/ci/jobs/policy-checks.sh

- name: Check Konflux pipelines
run: scripts/ci/jobs/check-konflux-pipelines.sh
- name: Check Konflux setup
run: scripts/ci/jobs/check-konflux-setup.sh

style-check:
runs-on: ubuntu-latest
Expand Down
7 changes: 7 additions & 0 deletions .syft.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Konflux uses Syft to generate container SBOMs.
# Syft config docs https://github.com/anchore/syft/wiki/configuration

# Here we exclude rpmdb files checked in this repo for testing purposes from being parsed and merged into SBOM.
# Use scripts/ci/jobs/check-konflux-setup.sh to validate or update this exclusion list.
exclude:
- ./compliance/node/index/testdata/usr/share/rpm/rpmdb.sqlite
2 changes: 1 addition & 1 deletion .tekton/operator-bundle-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -648,7 +648,7 @@ spec:
# Explicitly running after all other tasks to ensure that
# - there are no failures that should prevent a release of the operator-bundle image (missing RPMs signatures, deprecated base images, ...)
# - the source image is present as it is required by EC
# Use scripts/ci/jobs/check-konflux-pipelines.sh to validate and update the list.
# Use scripts/ci/jobs/check-konflux-setup.sh to validate and update the list.
runAfter:
- apply-tags
- build-container
Expand Down
73 changes: 0 additions & 73 deletions scripts/ci/jobs/check-konflux-pipelines.sh
View file
Open in desktop

This file was deleted.

114 changes: 114 additions & 0 deletions scripts/ci/jobs/check-konflux-setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
#!/usr/bin/env bash

# This script is to ensure that modifications to our Konflux pipelines follow our expectations and conventions.
# This script is intended to be run in CI

set -euo pipefail

FAIL_FLAG="$(mktemp)"
trap 'rm -f $FAIL_FLAG' EXIT

check_create_snapshot_runs_last() {
local -r pipeline_path=".tekton/operator-bundle-pipeline.yaml"
local -r task_name="create-acs-style-snapshot"

local expected_runafter
expected_runafter="$(yq eval '.spec.tasks[] | select(.name != '\"${task_name}\"') | .name' "${pipeline_path}" | sort)"

local actual_runafter
actual_runafter="$(yq eval '.spec.tasks[] | select(.name == '\"${task_name}\"') | .runAfter[]' "${pipeline_path}")"

echo
echo "➤ ${pipeline_path} // checking ${task_name}: task's runAfter contents shall match the expected ones."
if ! compare "${expected_runafter}" "${actual_runafter}"; then
echo >&2 -e "How to resolve:
1. Open ${pipeline_path} and locate the ${task_name} task
2. Update the runAfter attribute of this task to the following list (all previous tasks in the pipeline, sorted alphabetically):
${expected_runafter}"
record_failure "${FUNCNAME}"
fi
}

check_all_components_are_part_of_custom_snapshot() {
local -r pipeline_path=".tekton/operator-bundle-pipeline.yaml"
local -r task_name="create-acs-style-snapshot"

# Actual components are based on the COMPONENTS parameter and stored as sorted multi-line string.
local actual_components
actual_components="$(yq eval '.spec.tasks[] | select(.name == '\"${task_name}\"') | .params[] | select(.name == "COMPONENTS") | .value' "${pipeline_path}" | yq eval '.[].name' - | tr " " "\n" | sort)"

# Expected components are based on the wait-for-*-image task plus the operator-bundle and stored as a sorted multi-line string.
local expected_components_from_images
local expected_components
expected_components_from_images="$(yq eval '.spec.tasks[] | select(.name == "wait-for-*-image") | .name | sub("(wait-for-|-image)", "")' ${pipeline_path})"
expected_components=$(echo "${expected_components_from_images} operator-bundle" | tr " " "\n" | sort)

echo
echo "➤ ${pipeline_path} // checking ${task_name}: COMPONENTS contents shall include all ACS images."
if ! compare "${expected_components}" "${actual_components}"; then
echo >&2 -e "How to resolve:
1. Open ${pipeline_path} and locate the ${task_name} task
2. Update the COMPONENTS parameter of this task to include entries for the missing components or delete references to removed components. COMPONENTS should include entries for (sorted alphabetically):
${expected_components}"
record_failure "${FUNCNAME}"
fi
}

check_example_rpmdb_files_are_ignored() {
# At the time of this writing, Konflux uses syft to generate SBOMs for built containers.
# If we happen to have test rpmdb databases in the repo, syft will union their contents with RPMs that it finds
# installed in the container resulting in a misleading SBOM.
# This check is to make sure the exclusion list in Syft config enumerates all such rpmdbs.
# Ref https://github.com/anchore/syft/wiki/configuration

local -r syft_config=".syft.yaml"
local -r exclude_attribute=".exclude"

local actual_excludes
actual_excludes="$(yq eval "${exclude_attribute}" "${syft_config}")"

local expected_excludes
expected_excludes="$(git ls-files -- '**/rpmdb.sqlite' | sort | uniq | sed 's/^/- .\//')"

echo
echo "➤ ${syft_config} // checking ${exclude_attribute}: all rpmdb files in the repo shall be mentioned."
if ! compare "${expected_excludes}" "${actual_excludes}"; then
echo >&2 "How to resolve:
1. Open ${syft_config} and replace ${exclude_attribute} contents with the following.
${expected_excludes}"
record_failure "${FUNCNAME}"
fi
}

compare() {
local -r expected="$1"
local -r actual="$2"

if ! diff --brief <(echo "${expected}") <(echo "${actual}") > /dev/null; then
echo >&2 "✗ ERROR: the expected contents (left) don't match the actual ones (right):"
diff >&2 --side-by-side <(echo "${expected}") <(echo "${actual}") || true
return 1
else
echo "✓ No diff detected."
fi
}

record_failure() {
local -r func="$1"
echo "${func}" >> "${FAIL_FLAG}"
}

echo "Checking our Konflux pipelines and builds setup."
check_create_snapshot_runs_last
check_all_components_are_part_of_custom_snapshot
check_example_rpmdb_files_are_ignored

if [[ -s "$FAIL_FLAG" ]]; then
echo >&2
echo >&2 "✗ Some Konflux checks failed:"
cat >&2 "$FAIL_FLAG"
exit 1
else
echo
echo "✓ All checks passed."
fi
Loading