Update the build-image-index task.

Signed-off-by: haripate <[email protected]>

task/build-image-index/0.1/build-image-index.yaml

@@ -59,12 +59,9 @@ spec:
     name: IMAGES
   - description: Image reference of the built image containing both the repository and the digest
     name: IMAGE_REF
-  - description: Digest of the image just built
-    name: IMAGE_DIGEST_SBOM
-  - description: Image repository and tag where the built image was pushed
-    name: IMAGE_URL_SBOM
-  - description: Image reference of the built image
-    name: IMAGE_REF_SBOM
+  - name: SBOM_BLOB_URL
+    description: Reference of SBOM blob digest to enable digest-based verification from provenance
+    type: string
   stepTemplate:
     env:
     - name: BUILDAH_FORMAT
@@ -175,27 +172,19 @@ spec:
       requests:
         memory: 256Mi
         cpu: 100m
-    args:  ["$(params.IMAGES[*])"]
+    env:
+    - name: IMAGE_URL
+      value: $(results.IMAGE_URL.path)
+    - name: IMAGE_DIGEST
+      value: $(results.IMAGE_DIGEST.path)
     script: |
-      for i in $@
-      do
-        TOADD="$i"
-        TOADD_URL="$(echo "$i" | cut -d@ -f1)"
-        TOADD_DIGEST="$(echo "$i" | cut -d@ -f2)"
-        if [[ $(echo "$i" | tr -cd ":" | wc -c) == 2 ]]; then
-          #format is repository:tag@sha256:digest
-          #we need to remove the tag, and just reference the digest
-          #as tag + digest is not supported
-          TOADD_REPOSITORY="$(echo "$i" | cut -d: -f1)"
-          TOADD="${TOADD_REPOSITORY}@${TOADD_DIGEST}"
-        fi
-        buildah manifest inspect "$TOADD" > manifest_data.json
-        python3 /scripts/index-image-sbom-script.py \
-          --image-index-url "$TOADD_URL" \
-          --image-index-digest "$TOADD_DIGEST" \
-          --inspect-input-file manifest_data.json
-          --output-path sbom-results.json
-      done
+      TOADD="${IMAGE_URL}@${IMAGE_DIGEST}"
+      buildah manifest inspect "$TOADD" > manifest_data.json
+      python3 /scripts/index-image-sbom-script.py \
+        --image-index-url "$IMAGE_URL" \
+        --image-index-digest "$IMAGE_DIGEST" \
+        --inspect-input-file manifest_data.json
+        --output-path sbom-results.json
     workingDir: $(workspaces.source.path)
     securityContext:
       runAsUser: 0
@@ -250,12 +239,18 @@ spec:
           exit 1
       fi
 
-      cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST_SBOM.path)
-      echo -n "$IMAGE" | tee $(results.IMAGE_URL_SBOM.path)
+      cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
+      echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
       {
         echo -n "${IMAGE}@"
         cat "$(workspaces.source.path)/image-digest"
-      } > "$(results.IMAGE_REF_SBOM.path)"
+      } > "$(results.IMAGE.path)"
+
+      # Remove tag from IMAGE while allowing registry to contain a port number.
+      sbom_repo="${IMAGE%:*}"
+      sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)"
+      # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+      echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
 
     securityContext:
       runAsUser: 0
@@ -280,7 +275,7 @@ spec:
         update-ca-trust
       fi
 
-      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF_SBOM.path)")"
+      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")"
     computeResources:
       limits:
         memory: 512Mi