wip

cnquery-install.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/hashicorp/packer-plugin-amazon v1.2.1
 	github.com/hashicorp/packer-plugin-sdk v0.5.4
 	github.com/jehiah/go-strftime v0.0.0-20171201141054-1d33003b3869
-	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/klauspost/compress v1.13.6
 	github.com/klauspost/pgzip v1.2.5
 	github.com/masterzen/winrm v0.0.0-20210623064412-3b76017826b0
 	github.com/mattn/go-runewidth v0.0.13 // indirect
@@ -193,3 +193,5 @@ require (
 go 1.21.0
 
 replace github.com/zclconf/go-cty => github.com/nywilken/go-cty v1.13.3 // added by packer-sdc fix as noted in github.com/hashicorp/packer-plugin-sdk/issues/187
+
+replace github.com/hashicorp/hcp-sdk-go => /Users/jgoldstrich/workspace/hcp-sdk-go-internal

go.sum

@@ -297,8 +297,6 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI=
 github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE=
-github.com/hashicorp/hcp-sdk-go v0.105.0 h1:KKqOBi13+wMEvMEG65brBJIXzvZcxjehVzk6vipaaSE=
-github.com/hashicorp/hcp-sdk-go v0.105.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
 github.com/hashicorp/memberlist v0.5.0 h1:EtYPN8DpAURiapus508I4n9CzHs2W+8NZGbmmR/prTM=
@@ -751,8 +749,9 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/hcp/registry/types.bucket.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/client/packer_service"
 	hcpPackerModels "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/models"
 	packerSDK "github.com/hashicorp/packer-plugin-sdk/packer"
 	packerSDKRegistry "github.com/hashicorp/packer-plugin-sdk/packer/registry/image"
@@ -222,6 +223,33 @@ func (bucket *Bucket) UpdateBuildStatus(
 	return nil
 }
 
+func (bucket *Bucket) uploadSbom(ctx context.Context, buildName string, compressedSbom []byte) error {
+	buildToUpdate, err := bucket.Version.Build(buildName)
+	if err != nil {
+		return err
+	}
+
+	log.Println(
+		"[TRACE] jennajenna uploadsbom called", buildToUpdate.ID,
+	)
+	if buildToUpdate.ID == "" {
+		return fmt.Errorf("the build for the component %q does not have a valid id", buildName)
+	}
+	_, err = bucket.client.Packer.PackerServiceUploadSbom(
+		&packer_service.PackerServiceUploadSbomParams{
+			Context:     ctx,
+			BucketName:  bucket.Name,
+			Fingerprint: bucket.Version.Fingerprint,
+			BuildID:     buildToUpdate.ID,
+			Body: &hcpPackerModels.HashicorpCloudPacker20230101UploadSbomBody{
+				CompressedSbom: compressedSbom,
+			},
+		},
+		nil,
+	)
+	return err
+}
+
 // markBuildComplete should be called to set a build on the HCP Packer registry to DONE.
 // Upon a successful call markBuildComplete will publish all artifacts created by the named build,
 // and set the build to done. A build with no artifacts can not be set to DONE.
@@ -673,6 +701,13 @@ func (bucket *Bucket) completeBuild(
 		}
 	}
 
+	for _, sbom := range build.CompressedSboms {
+		err = bucket.uploadSbom(ctx, buildName, sbom)
+		if err != nil {
+			return packerSDKArtifacts, fmt.Errorf("Failed to upload sboms %s", err)
+		}
+	}
+
 	parErr := bucket.markBuildComplete(ctx, buildName)
 	if parErr != nil {
 		return packerSDKArtifacts, fmt.Errorf(

internal/hcp/registry/types.builds.go

@@ -20,6 +20,8 @@ type Build struct {
 	Artifacts     map[string]packerSDKRegistry.Image
 	Status        hcpPackerModels.HashicorpCloudPacker20230101BuildStatus
 	Metadata      hcpPackerModels.HashicorpCloudPacker20230101BuildMetadata
+
+	CompressedSboms [][]byte
 }
 
 // NewBuildFromCloudPackerBuild converts a HashicorpCloudPackerBuild to a local build that can be tracked and

internal/hcp/registry/types.version.go

@@ -205,5 +205,8 @@ func (version *Version) AddMetadataToBuild(
 	buildToUpdate.Metadata.Vcs = globalMetadata.Vcs
 	buildToUpdate.Metadata.Cicd = globalMetadata.Cicd
 
+	// TODO IMO this shouldn't be metadata
+	buildToUpdate.CompressedSboms = buildMetadata.SBOMs
+
 	return nil
 }

whateverlucas.pkr.hcl

@@ -0,0 +1,32 @@
+packer {
+  required_plugins {
+    docker = {
+      version = ">= 1.0.0"
+      source  = "github.com/hashicorp/docker"
+    }
+  }
+}
+
+source "docker" "test" {
+  image = "debian"
+  commit = true
+}
+
+build {
+  sources = ["source.docker.test"]
+  hcp_packer_registry {
+    bucket_name = "imnot"
+  }
+  provisioner "shell" {
+    inline = [
+      "apt-get update && apt-get -y install curl",
+      "bash -c \"$(curl -sSL \"https://install.mondoo.com/sh\")\"",
+      "cnquery sbom --output cyclonedx-json >/tmp/sbom_cyclonedx.json",
+    ]
+  }
+
+  provisioner "hcp_sbom" {
+    source      = "/tmp/sbom_cyclonedx.json"
+    destination = "sbom_cyclonedx.json"
+  }
+}