diff --git a/cnquery-install.sh b/cnquery-install.sh new file mode 100644 index 000000000..96e6a3194 --- /dev/null +++ b/cnquery-install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +bash -c "$(curl -sSL https://install.mondoo.com/sh)" diff --git a/go.mod b/go.mod index bd377d0f4..408105211 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/hashicorp/packer-plugin-amazon v1.2.1 github.com/hashicorp/packer-plugin-sdk v0.5.4 github.com/jehiah/go-strftime v0.0.0-20171201141054-1d33003b3869 - github.com/klauspost/compress v1.13.6 // indirect + github.com/klauspost/compress v1.13.6 github.com/klauspost/pgzip v1.2.5 github.com/masterzen/winrm v0.0.0-20210623064412-3b76017826b0 github.com/mattn/go-runewidth v0.0.13 // indirect @@ -193,3 +193,5 @@ require ( go 1.21.0 replace github.com/zclconf/go-cty => github.com/nywilken/go-cty v1.13.3 // added by packer-sdc fix as noted in github.com/hashicorp/packer-plugin-sdk/issues/187 + +replace github.com/hashicorp/hcp-sdk-go => /Users/jgoldstrich/workspace/hcp-sdk-go-internal diff --git a/go.sum b/go.sum index f2f214db7..74fb78b0f 100644 --- a/go.sum +++ b/go.sum @@ -297,8 +297,6 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI= github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= -github.com/hashicorp/hcp-sdk-go v0.105.0 h1:KKqOBi13+wMEvMEG65brBJIXzvZcxjehVzk6vipaaSE= -github.com/hashicorp/hcp-sdk-go v0.105.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc= github.com/hashicorp/memberlist v0.5.0 h1:EtYPN8DpAURiapus508I4n9CzHs2W+8NZGbmmR/prTM= @@ -751,8 +749,9 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/internal/hcp/registry/types.bucket.go b/internal/hcp/registry/types.bucket.go index 17f3e34c0..42be96664 100644 --- a/internal/hcp/registry/types.bucket.go +++ b/internal/hcp/registry/types.bucket.go @@ -13,6 +13,7 @@ import ( "time" "github.com/hashicorp/go-multierror" + "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/client/packer_service" hcpPackerModels "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/models" packerSDK "github.com/hashicorp/packer-plugin-sdk/packer" packerSDKRegistry "github.com/hashicorp/packer-plugin-sdk/packer/registry/image" @@ -222,6 +223,33 @@ func (bucket *Bucket) UpdateBuildStatus( return nil } +func (bucket *Bucket) uploadSbom(ctx context.Context, buildName string, compressedSbom []byte) error { + buildToUpdate, err := bucket.Version.Build(buildName) + if err != nil { + return err + } + + log.Println( + "[TRACE] jennajenna uploadsbom called", buildToUpdate.ID, + ) + if buildToUpdate.ID == "" { + return fmt.Errorf("the build for the component %q does not have a valid id", buildName) + } + _, err = bucket.client.Packer.PackerServiceUploadSbom( + &packer_service.PackerServiceUploadSbomParams{ + Context: ctx, + BucketName: bucket.Name, + Fingerprint: bucket.Version.Fingerprint, + BuildID: buildToUpdate.ID, + Body: &hcpPackerModels.HashicorpCloudPacker20230101UploadSbomBody{ + CompressedSbom: compressedSbom, + }, + }, + nil, + ) + return err +} + // markBuildComplete should be called to set a build on the HCP Packer registry to DONE. // Upon a successful call markBuildComplete will publish all artifacts created by the named build, // and set the build to done. A build with no artifacts can not be set to DONE. @@ -673,6 +701,13 @@ func (bucket *Bucket) completeBuild( } } + for _, sbom := range build.CompressedSboms { + err = bucket.uploadSbom(ctx, buildName, sbom) + if err != nil { + return packerSDKArtifacts, fmt.Errorf("Failed to upload sboms %s", err) + } + } + parErr := bucket.markBuildComplete(ctx, buildName) if parErr != nil { return packerSDKArtifacts, fmt.Errorf( diff --git a/internal/hcp/registry/types.builds.go b/internal/hcp/registry/types.builds.go index dc7e13276..6a5f41f40 100644 --- a/internal/hcp/registry/types.builds.go +++ b/internal/hcp/registry/types.builds.go @@ -20,6 +20,8 @@ type Build struct { Artifacts map[string]packerSDKRegistry.Image Status hcpPackerModels.HashicorpCloudPacker20230101BuildStatus Metadata hcpPackerModels.HashicorpCloudPacker20230101BuildMetadata + + CompressedSboms [][]byte } // NewBuildFromCloudPackerBuild converts a HashicorpCloudPackerBuild to a local build that can be tracked and diff --git a/internal/hcp/registry/types.version.go b/internal/hcp/registry/types.version.go index 0caf6229c..819e09e46 100644 --- a/internal/hcp/registry/types.version.go +++ b/internal/hcp/registry/types.version.go @@ -205,5 +205,8 @@ func (version *Version) AddMetadataToBuild( buildToUpdate.Metadata.Vcs = globalMetadata.Vcs buildToUpdate.Metadata.Cicd = globalMetadata.Cicd + // TODO IMO this shouldn't be metadata + buildToUpdate.CompressedSboms = buildMetadata.SBOMs + return nil } diff --git a/whateverlucas.pkr.hcl b/whateverlucas.pkr.hcl new file mode 100644 index 000000000..4f680455a --- /dev/null +++ b/whateverlucas.pkr.hcl @@ -0,0 +1,32 @@ +packer { + required_plugins { + docker = { + version = ">= 1.0.0" + source = "github.com/hashicorp/docker" + } + } +} + +source "docker" "test" { + image = "debian" + commit = true +} + +build { + sources = ["source.docker.test"] + hcp_packer_registry { + bucket_name = "imnot" + } + provisioner "shell" { + inline = [ + "apt-get update && apt-get -y install curl", + "bash -c \"$(curl -sSL \"https://install.mondoo.com/sh\")\"", + "cnquery sbom --output cyclonedx-json >/tmp/sbom_cyclonedx.json", + ] + } + + provisioner "hcp_sbom" { + source = "/tmp/sbom_cyclonedx.json" + destination = "sbom_cyclonedx.json" + } +}