feat: Add job for building sboms

Signed-off-by: Artem Goncharov <[email protected]>

playbooks/sbom/post.yaml

@@ -0,0 +1,3 @@
+---
+- hosts: all
+  tasks:

playbooks/sbom/pre.yaml

@@ -0,0 +1,13 @@
+---
+- hosts: all
+  roles:
+    - ensure-trivy
+    - ensure-syft
+  tasks:
+    - name: "Create SBOMs directory"
+      ansible.builtin.file:
+        path: "{{ ansible_user_dir }}/zuul-output/artifacts/sboms"
+        state: "directory"
+        mode: 0755
+
+

playbooks/sbom/run.yaml

@@ -0,0 +1,23 @@
+---
+- hosts: all
+  tasks:
+    - name: Generate SBOM with syft
+      ansible.builtin.include_role:
+        name: "generate-sbom-syft"
+      vars:
+        generate_sbom_syft_source: "{{ zj_item.registry }}/{{ zj_item.name }}:{{ zj_item.tag }}"
+        generate_sbom_syft_path: "{{ ansible_user_dir }}/zuul-output/artifacts/sboms/{{ zj_item.name }}.syft.json"
+      loop: "{{ images }}"
+      loop_control:
+        loop_var: zj_item
+
+    - name: Generate SBOM with trivy
+      ansible.builtin.include_role:
+        name: "generate-sbom-trivy"
+      vars:
+        generate_sbom_trivy_source: "{{ zj_item.registry }}/{{ zj_item.name }}:{{ zj_item.tag }}"
+        generate_sbom_trivy_path: "{{ ansible_user_dir }}/zuul-output/artifacts/sboms/{{ zj_item.name }}.trivy.json"
+        generate_sbom_trivy_command: "image"
+      loop: "{{ images }}"
+      loop_control:
+        loop_var: zj_item

roles/ensure-base/README.rst

@@ -0,0 +1,19 @@
+Install binary tool from GitHub
+
+**Role Variables**
+
+.. zuul:rolevar:: ensure_base_install_dir
+   :default: /usr/local/bin
+
+   Directory to install binary in.
+
+.. zuul:rolevar:: ensure_base_version
+   :default: latest
+
+   Version of tool
+
+.. zuul:rolevar:: ensure_base_os
+   :default: {{ ansible_system | lower }}
+
+.. zuul:rolevar:: ensure_base_arch
+   :default: amd64 / 386

roles/ensure-base/defaults/main.yaml

@@ -0,0 +1,10 @@
+ensure_base_name: ""
+ensure_base_github_owner: ""
+ensure_base_github_repo: ""
+ensure_base_version: "latest"
+ensure_base_tag: "v{{ ensure_base_version }}"
+ensure_base_download_prefix: "https://github.com/{{ ensure_base_github_owner }}/{{ ensure_base_github_repo }}/releases/download"
+ensure_base_release_info_url_prefix: "https://github.com/{{ ensure_base_github_owner }}/{{ ensure_base_github_repo }}/releases/"
+ensure_base_os: "{{ ansible_system | lower }}"
+ensure_base_arch: "{{ ensure_base_arch_translation[ansible_architecture] }}"
+ensure_base_install_dir: "/usr/local/bin"

roles/ensure-base/tasks/install.yaml

@@ -0,0 +1,30 @@
+- name: Create temp directory
+  ansible.builtin.tempfile:
+    state: directory
+  register: ensure_base_archive_tempdir
+
+- name: Get GitHub release info
+  ansible.builtin.uri:
+    url: "{{ ensure_base_release_info_url_prefix }}/{{ (ensure_base_version == 'latest') | ternary(ensure_base_version, ensure_base_tag) }}"
+    headers:
+      accept: "application/json"
+  register: ensure_base_release_info
+
+- name: Download {{ ensure_base_name }} checksums
+  ansible.builtin.uri:
+    url: "{{ ensure_base_download_prefix }}/{{ ensure_base_release_info.json.tag_name }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_checksums.txt"
+    return_content: true
+  register: ensure_base_checksums
+
+- name: Download {{ ensure_base_name }} archive
+  ansible.builtin.get_url:
+    url: "{{ ensure_base_download_prefix }}/{{ ensure_base_release_info.json.tag_name }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_base_os }}_{{ ensure_base_arch }}.tar.gz"
+    dest: "{{ ensure_base_archive_tempdir.path }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_base_os }}_{{ ensure_base_arch }}.tar.gz"
+    checksum: "sha256:{{ ensure_base_checksums.content | regex_search('(?P<checksum>.*)\\b\\s+'+ensure_base_name+'_'+(ensure_base_release_info.json.tag_name | regex_replace('^v',''))+'_'+ensure_base_os+'_'+ensure_base_arch+'.tar.gz', '\\g<checksum>') }}"
+
+- name: Install {{ ensure_base_name }}
+  ansible.builtin.unarchive:
+    src: "{{ ensure_base_archive_tempdir.path }}/{{ ensure_base_name }}_{{ ensure_base_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_base_os }}_{{ ensure_base_arch }}.tar.gz"
+    dest: "{{ ensure_base_install_dir }}"
+    remote_src: yes
+  become: true

roles/ensure-base/tasks/main.yaml

@@ -0,0 +1,12 @@
+- name: Check installed {{ ensure_base_name }} version
+  ansible.builtin.command: "{{ ensure_base_name }} version"
+  register: ensure_base_installed_version
+  environment:
+    PATH: "{{ ansible_env.PATH }}:{{ ensure_base_install_dir }}"
+  failed_when: false
+
+- name: Skip if correct version of {{ ensure_base_name }} is installed
+  ansible.builtin.include_tasks: install.yaml
+  when:
+    - ensure_base_installed_version.rc != 0 or
+      ensure_base_version != (ensure_base_installed_version.stdout|regex_replace(ensure_base_version_pattern, '\\g<version>'))

roles/ensure-base/vars/main.yaml

@@ -0,0 +1,6 @@
+ensure_base_arch_translation:
+  amd64: amd64
+  x86_64: amd64
+  i386: 386
+
+ensure_base_version_pattern: ^{{ ensure_base_name }} (?P<version>.*?)$

roles/ensure-syft/README.rst

@@ -0,0 +1,8 @@
+Install Anchore Syft
+
+**Role Variables**
+
+.. zuul:rolevar:: syft_version
+   :default: latest
+
+   Version of syft

roles/ensure-syft/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+ensure_syft_version: "1.11.1"

roles/ensure-syft/tasks/main.yaml

@@ -0,0 +1,8 @@
+- name: Import ensure-base role
+  ansible.builtin.import_role:
+    name: ensure-base
+  vars:
+    ensure_base_name: "syft"
+    ensure_base_github_owner: "anchore"
+    ensure_base_github_repo: "syft"
+    ensure_base_version: "{{ ensure_syft_version }}"

roles/ensure-trivy/README.rst

@@ -0,0 +1,8 @@
+Install Anchore Syft
+
+**Role Variables**
+
+.. zuul:rolevar:: syft_version
+   :default: latest
+
+   Version of syft

roles/ensure-trivy/defaults/main.yaml

@@ -0,0 +1,15 @@
+---
+ensure_trivy_version: "0.55.0"
+ensure_trivy_name: "trivy"
+ensure_trivy_github_owner: "aquasecurity"
+ensure_trivy_github_repo: "trivy"
+ensure_trivy_version: "0.55.0"
+ensure_trivy_tag: "v{{ ensure_trivy_version }}"
+ensure_trivy_download_prefix: "https://github.com/{{ ensure_trivy_github_owner }}/{{ ensure_trivy_github_repo }}/releases/download"
+ensure_trivy_release_info_url_prefix: "https://github.com/{{ ensure_trivy_github_owner }}/{{ ensure_trivy_github_repo }}/releases/"
+ensure_trivy_os: "{{ ansible_system }}"
+ensure_trivy_arch: "{{ ensure_trivy_arch_translation[ansible_architecture] }}"
+ensure_trivy_install_dir: "/usr/local/bin"
+ensure_trivy_arch_translation:
+  amd64: "64bit"
+  x86_64: "64bit"

roles/ensure-trivy/tasks/main.yaml

@@ -0,0 +1,31 @@
+---
+- name: Create temp directory
+  ansible.builtin.tempfile:
+    state: directory
+  register: ensure_trivy_archive_tempdir
+
+- name: Get GitHub release info
+  ansible.builtin.uri:
+    url: "{{ ensure_trivy_release_info_url_prefix }}/{{ (ensure_trivy_version == 'latest') | ternary(ensure_trivy_version, ensure_trivy_tag) }}"
+    headers:
+      accept: "application/json"
+  register: ensure_trivy_release_info
+
+- name: Download {{ ensure_trivy_name }} checksums
+  ansible.builtin.uri:
+    url: "{{ ensure_trivy_download_prefix }}/{{ ensure_trivy_release_info.json.tag_name }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_checksums.txt"
+    return_content: true
+  register: ensure_trivy_checksums
+
+- name: Download {{ ensure_trivy_name }} archive
+  ansible.builtin.get_url:
+    url: "{{ ensure_trivy_download_prefix }}/{{ ensure_trivy_release_info.json.tag_name }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_trivy_os }}-{{ ensure_trivy_arch }}.tar.gz"
+    dest: "{{ ensure_trivy_archive_tempdir.path }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_trivy_os }}-{{ ensure_trivy_arch }}.tar.gz"
+    checksum: "sha256:{{ ensure_trivy_checksums.content | regex_search('(?P<checksum>.*)\\b\\s+'+ensure_trivy_name+'_'+(ensure_trivy_release_info.json.tag_name | regex_replace('^v',''))+'_'+ensure_trivy_os+'-'+ensure_trivy_arch+'.tar.gz', '\\g<checksum>') }}"
+
+- name: Install {{ ensure_trivy_name }}
+  ansible.builtin.unarchive:
+    src: "{{ ensure_trivy_archive_tempdir.path }}/{{ ensure_trivy_name }}_{{ ensure_trivy_release_info.json.tag_name | regex_replace('^v', '') }}_{{ ensure_trivy_os }}-{{ ensure_trivy_arch }}.tar.gz"
+    dest: "{{ ensure_trivy_install_dir }}"
+    remote_src: yes
+  become: true

roles/fetch-sbom/README.rst

@@ -0,0 +1,11 @@
+Fetch SBOM
+
+**Role Variables**
+
+.. zuul:rolevar:: zuul_work_dir
+
+   Zuul working directory
+
+.. zuul:rolevar:: zuul_output_dir
+
+   Output directory

roles/fetch-sbom/defaults/main.yaml

@@ -0,0 +1,4 @@
+---
+zuul_work_dir: "{{ zuul.project.src_dir }}"
+zuul_output_dir: "{{ ansible_user_dir }}/zuul-output"
+fetch_sbom_glob: "*.sbom.xml"

roles/fetch-sbom/tasks/main.yaml

@@ -0,0 +1,22 @@
+- name: Fetch sbom file to job artifacts
+  ansible.builtin.copy:
+    dest: "{{ zuul_output_dir }}/logs/"
+    src: "{{ zj_item.bom_path }}"
+    mode: 0644
+    remote_src: true
+  loop: "{{ zuul_bom_results | default([]) }}"
+  loop_control:
+    loop_var: zj_item
+
+- name: Return artifact to Zuul
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: "SBOM: {{ zj_item.project_name }}:{{ zj_item.project_version }}"
+            url: "{{ zj_item.bom_path | basename }}"
+            metadata:
+              type: sbom
+  loop: "{{ zuul_bom_results | default([]) }}"
+  loop_control:
+    loop_var: zj_item

roles/generate-sbom-syft/README.rst

@@ -0,0 +1,16 @@
+Generate SBOM with Syft
+
+**Role Variables**
+
+.. zuul:rolevar:: generate_sbom_syft_source
+
+   Source to generate SBOM for
+
+.. zuul:rolevar:: generate_sbom_syft_format
+   :default: cyclonedx-json
+
+   Format of the SBOM report
+
+.. zuul:rolevar:: generate_sbom_syft_path
+
+   Path where to save the report

roles/generate-sbom-syft/defaults/main.yaml

@@ -0,0 +1,4 @@
+generate_sbom_syft_executable: "/usr/local/bin/syft"
+generate_sbom_syft_command: "scan"
+generate_sbom_syft_format: "[email protected]"
+generate_sbom_syft_path: "{{ ansible_user }}/zuul-output/sboms/syft-sbom.json"

roles/generate-sbom-syft/tasks/main.yaml

@@ -0,0 +1,2 @@
+- name: Generate SBOM for artifact with syft
+  ansible.builtin.command: "{{ generate_sbom_syft_executable }} {{ generate_sbom_syft_command }} {{ generate_sbom_syft_source }} -o {{ generate_sbom_syft_format }}={{ generate_sbom_syft_path }}"

roles/generate-sbom-trivy/README.rst

@@ -0,0 +1,16 @@
+Generate SBOM with Trivy
+
+**Role Variables**
+
+.. zuul:rolevar:: generate_sbom_trivy_source
+
+   Source to generate SBOM for
+
+.. zuul:rolevar:: generate_sbom_trivy_format
+   :default: cyclonedx
+
+   Format of the SBOM report
+
+.. zuul:rolevar:: generate_sbom_trivy_path
+
+   Path where to save the report

roles/generate-sbom-trivy/defaults/main.yaml

@@ -0,0 +1,4 @@
+generate_sbom_trivy_executable: "/usr/local/bin/trivy"
+generate_sbom_trivy_command: ""
+generate_sbom_trivy_format: "cyclonedx"
+generate_sbom_trivy_path: "{{ ansible_user }}/zuul-output/sboms/trivy-sbom.json"

roles/generate-sbom-trivy/tasks/main.yaml

@@ -0,0 +1,2 @@
+- name: Generate SBOM for artifact with trivy
+  ansible.builtin.command: "{{ generate_sbom_trivy_executable }} {{ generate_sbom_trivy_command | default() }} {{ generate_sbom_trivy_source }} --format {{ generate_sbom_trivy_format }} --output {{ generate_sbom_trivy_path }}"