Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions scripts/auto-rebase/crypto_scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
#!/usr/bin/bash
set -euo pipefail

SCANNER_IMAGE="images.paas.redhat.com/exd-sp-guild-security/rh-crypto-scanner-image:latest"
REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../..")"
CBOM_OUTPUT="${REPOROOT}/cbom-microshift.json"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to commit it to the root ?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spoke with @pacevedom and we agreed to push it on the root directory, but feel free to provide any suggestion if you believe there could be better places

SPDX_OUTPUT="${REPOROOT}/sbom-microshift-crypto.spdx.json"

echo "Running crypto scanner against MicroShift source..."
echo "Scanner image: ${SCANNER_IMAGE}"
echo "Source directory: ${REPOROOT}"

if ! podman pull "${SCANNER_IMAGE}"; then
echo "WARNING: failed to pull scanner image, skipping CBOM generation" >&2
exit 0
fi

# The scanner skips directories named "vendor/" by default.
# Mount vendor directories under non-skipped names so the scanner
# processes them. The "deps/" directory is excluded because it is a
# patched copy of upstream Kubernetes vendor and would duplicate
# findings already covered by "vendor/".
# We stage a scan directory with only the sources we want scanned.
SCAN_DIR=$(mktemp -d)
trap 'rm -rf "${SCAN_DIR}"' EXIT

cp -a "${REPOROOT}/pkg" "${SCAN_DIR}/pkg"
cp -a "${REPOROOT}/cmd" "${SCAN_DIR}/cmd"
cp -a "${REPOROOT}/vendor" "${SCAN_DIR}/vendor-deps"
cp -a "${REPOROOT}/etcd/cmd" "${SCAN_DIR}/etcd-cmd"
cp -a "${REPOROOT}/etcd/vendor" "${SCAN_DIR}/etcd-deps"

if ! podman run --rm \
-v "${SCAN_DIR}:/workspace:z" \
"${SCANNER_IMAGE}" \
/workspace > "${CBOM_OUTPUT}"; then
echo "WARNING: crypto scan failed, skipping CBOM generation" >&2
exit 0
fi

echo "CBOM generated: "
ls -lh "${CBOM_OUTPUT}"

# SPDX 2.3 has no native crypto asset support. As a workaround agreed
# with prod sec, cryptoProperties are serialized into the SPDX package
# "comment" field.
if ! jq '{
spdxVersion: "SPDX-2.3",
dataLicense: "CC0-1.0",
SPDXID: "SPDXRef-DOCUMENT",
name: "MicroShift-CBOM",
documentNamespace: "https://microshift.io/spdx/cbom",
packages: (
[{
SPDXID: "SPDXRef-Package-RootPackage",
name: "microshift",
downloadLocation: "NOASSERTION",
filesAnalyzed: false
}] +
[.components[] | {
SPDXID: ("SPDXRef-Package-" + (.name | gsub("[^a-zA-Z0-9.-]"; "-"))),
name: .name,
comment: (.cryptoProperties | tojson),
description: "Converted CBOM component from CycloneDX to SPDX",
downloadLocation: "NOASSERTION",
filesAnalyzed: false
}]
),
relationships: (
[{
spdxElementId: "SPDXRef-DOCUMENT",
relatedSpdxElement: "SPDXRef-Package-RootPackage",
relationshipType: "DESCRIBES"
}] +
[.components[] | {
spdxElementId: "SPDXRef-Package-RootPackage",
relatedSpdxElement: ("SPDXRef-Package-" + (.name | gsub("[^a-zA-Z0-9.-]"; "-"))),
relationshipType: "CONTAINS"
}]
)
}' "${CBOM_OUTPUT}" > "${SPDX_OUTPUT}"; then
echo "WARNING: SPDX conversion failed" >&2
exit 0
fi

echo "SPDX generated: "
ls -lh "${SPDX_OUTPUT}"
10 changes: 10 additions & 0 deletions scripts/auto-rebase/rebase_job_entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,16 @@ else
./scripts/auto-rebase/rebase-lvms.sh to "${pullspec_release_lvms_fallback}"
fi

# Generate CBOM (Cryptographic Bill of Materials)
if [[ "${CRYPTO_SCAN:-}" == "true" ]]; then
./scripts/auto-rebase/crypto_scan.sh
if [[ -n "$(git status -s cbom-microshift.json sbom-microshift-crypto.spdx.json)" ]]; then
echo "Updating CBOM"
git add cbom-microshift.json sbom-microshift-crypto.spdx.json
git commit -m "update cbom"
fi
fi

if [[ "${JOB_TYPE}" == "presubmit" ]]; then
# Verify the assets after the rebase to make sure
# nightly job will not fail on assets verification.
Expand Down