SPDX support for rpm-ostree

Signed-off-by: Jindrich Luza <[email protected]>

task/rpm-ostree/0.2/rpm-ostree.yaml

@@ -55,6 +55,10 @@ spec:
     description: Determines if build will be executed without network access.
     name: HERMETIC
     type: string
+  - name: sbomType
+    type: string
+    description: The type of SBOM to generate. Supported values are 'spdx' and 'cyclonedx'.
+    default: cyclonedx
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -82,6 +86,8 @@ spec:
       value: $(params.CONFIG_FILE)
     - name: HERMETIC
       value: $(params.HERMETIC)
+    - name: SBOM_TYPE
+      value: $(params.sbomType)
     computeResources: {}
   steps:
   - env:
@@ -217,17 +223,26 @@ spec:
     # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
     workingDir: $(workspaces.source.path)/source
     script: |
-      syft oci-dir:/var/lib/containers/rhtap-final-image --output cyclonedx-json=$(workspaces.source.path)/sbom-cyclonedx.json
+      SYFT_FORMAT=$([ "$(SBOM_TYPE)" = "spdx" ] && printf "spdx-json" || printf "cyclonedx-json")
+      MERGE_DST=$([ "$(SBOM_TYPE)" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json")
+      syft oci-dir:/var/lib/containers/rhtap-final-image --output "$SYFT_FORMAT"="$(workspaces.source.path)/${MERGE_DST}"
     volumeMounts:
       - mountPath: /var/lib/containers
         name: varlibcontainers
   - name: merge-cachi2-sbom
     image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:53a3041dff341b7fd1765b9cc2c324625d19e804b2eaff10a6e6d9dcdbde3a91
     script: |
+      ### TODO: Remove this block once SPDX implementation is available in the merge scripts
+      if [ "$SBOM_TYPE" = "spdx" ]; then
+        echo "SPDX implementation is not yet available"
+        exit 1
+      fi
+
+      MERGE_DST=$([ "$(SBOM_TYPE)" = "spdx" ] && printf "sbom-spdx.json" || printf "sbom-cyclonedx.json")
       cachi2_sbom=./cachi2/output/bom.json
       if [ -f "$cachi2_sbom" ]; then
-        echo "Merging contents of $cachi2_sbom into sbom-cyclonedx.json"
-        python3 /scripts/merge_cachi2_sboms.py "$cachi2_sbom" sbom-cyclonedx.json > sbom-temp.json
+        echo "Merging contents of $cachi2_sbom into sbom-${SBOM_TYPE}.json"
+        python3 /scripts/merge_cachi2_sboms.py --sbom-format "${SBOM_TYPE}" "$cachi2_sbom" "${MERGE_DST}" > sbom-temp.json
         mv sbom-temp.json sbom-cyclonedx.json
       else
         echo "Skipping step since no Cachi2 SBOM was produced"
@@ -274,7 +289,7 @@ spec:
 
       # Remove tag from IMAGE while allowing registry to contain a port number.
       sbom_repo="${IMAGE%:*}"
-      sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+      sbom_digest="$(sha256sum "${MERGE_DST}" | cut -d' ' -f1)"
       # The SBOM_BLOB_URL is created by `cosign attach sbom`.
       echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
     securityContext:
@@ -290,7 +305,7 @@ spec:
     image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
     workingDir: $(workspaces.source.path)
     script: |
-      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
+      cosign attach sbom --sbom "${MERGE_DST}" --type "${SBOM_TYPE}" "$(cat "$(results.IMAGE_REF.path)")"
   volumes:
   - emptyDir: {}
     name: varlibcontainers