Revert "[ISV-5221] Add new step to inject and push SBOMs in build-ima…

pipelines/docker-build-multi-platform-oci-ta/README.md

@@ -201,7 +201,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest|
 |IMAGE_REF| Image reference of the built image containing both the repository and the digest| |
 |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url|
-|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 ### buildah-remote-oci-ta:0.2 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|

pipelines/docker-build-oci-ta/README.md

@@ -198,7 +198,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest|
 |IMAGE_REF| Image reference of the built image containing both the repository and the digest| |
 |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url|
-|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 ### buildah-oci-ta:0.2 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|

pipelines/docker-build/README.md

@@ -196,7 +196,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest|
 |IMAGE_REF| Image reference of the built image containing both the repository and the digest| |
 |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url|
-|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 ### buildah:0.2 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|

pipelines/fbc-builder/README.md

@@ -146,7 +146,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST|
 |IMAGE_REF| Image reference of the built image containing both the repository and the digest| |
 |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL|
-|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 ### buildah:0.2 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|

pipelines/tekton-bundle-builder/README.md

@@ -102,7 +102,6 @@
 |IMAGE_DIGEST| Digest of the image just built| |
 |IMAGE_REF| Image reference of the built image containing both the repository and the digest| |
 |IMAGE_URL| Image repository and tag where the built image was pushed| apply-tags:0.1:IMAGE|
-|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 ### git-clone:0.1 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|

task/build-image-index/0.1/README.md

@@ -20,5 +20,4 @@ This takes existing Image Manifests and combines them in an Image Index.
 |IMAGE_URL|Image repository and tag where the built image was pushed|
 |IMAGES|List of all referenced image manifests|
 |IMAGE_REF|Image reference of the built image containing both the repository and the digest|
-|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance|
 

task/build-image-index/0.1/build-image-index.yaml

@@ -47,13 +47,6 @@ spec:
     name: IMAGES
   - description: Image reference of the built image containing both the repository and the digest
     name: IMAGE_REF
-  - name: SBOM_BLOB_URL
-    description: Reference of SBOM blob digest to enable digest-based verification from provenance
-    type: string
-  volumes:
-    - name: shared-dir
-      emptyDir: {}
-
   stepTemplate:
     env:
     - name: BUILDAH_FORMAT
@@ -68,9 +61,6 @@ spec:
       value: $(params.ALWAYS_BUILD_INDEX)
     - name: STORAGE_DRIVER
       value: $(params.STORAGE_DRIVER)
-    volumeMounts:
-      - name: shared-dir
-        mountPath: /index-build-data
   steps:
   - image: quay.io/konflux-ci/buildah-task:latest@sha256:5cbd487022fb7ac476cbfdea25513b810f7e343ec48f89dc6a4e8c3c39fa37a2
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
@@ -153,67 +143,7 @@ spec:
         cat "image-digest"
       } > "$(results.IMAGE_REF.path)"
       echo -n "${image_manifests:1:-1}" > "$(results.IMAGES.path)"
-
-      IMAGE_DIGEST=$(cat image-digest)
-
-      INDEX_IMAGE_PULLSPEC="${IMAGE}@${IMAGE_DIGEST}"
-      buildah manifest inspect "$INDEX_IMAGE_PULLSPEC" > /index-build-data/manifest_data.json
     securityContext:
       capabilities:
         add:
           - SETFCAP
-
-  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:53a3041dff341b7fd1765b9cc2c324625d19e804b2eaff10a6e6d9dcdbde3a91
-    name: create-sbom
-    computeResources:
-      limits:
-        memory: 512Mi
-        cpu: 200m
-      requests:
-        memory: 256Mi
-        cpu: 100m
-    script: |
-      #!/bin/bash
-      set -e
-
-      MANIFEST_DATA_FILE="/index-build-data/manifest_data.json"
-      if [ ! -f "$MANIFEST_DATA_FILE" ]; then
-        echo "The manifest_data.json file does not exist. Skipping the SBOM creation..."
-        exit 0
-      fi
-
-      IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")"
-      IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")"
-      echo "Creating SBOM result file..."
-      python3 index_image_sbom_script.py \
-        --image-index-url "$IMAGE_URL" \
-        --image-index-digest "$IMAGE_DIGEST" \
-        --inspect-input-file "$MANIFEST_DATA_FILE" \
-        --output-path /index-build-data/sbom-results.json
-
-  - name: upload-sbom
-    image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
-    script: |
-      #!/bin/bash
-      set -e
-
-      SBOM_RESULT_FILE="/index-build-data/sbom-results.json"
-      if [ ! -f "$SBOM_RESULT_FILE" ]; then
-        echo "The sbom_results.json file does not exists. Skipping the SBOM upload..."
-        exit 0
-      fi
-
-      cosign attach sbom --sbom "$SBOM_RESULT_FILE" --type spdx "$(cat "$(results.IMAGE_REF.path)")"
-
-      # Remove tag from IMAGE while allowing registry to contain a port number.
-      sbom_repo="${IMAGE%:*}"
-      sbom_digest="$(sha256sum "$SBOM_RESULT_FILE" | cut -d' ' -f1)"
-      # The SBOM_BLOB_URL is created by `cosign attach sbom`.
-      echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)"
-    computeResources:
-      limits:
-        memory: 512Mi
-        cpu: 200m
-      requests:
-        memory: 256Mi
-        cpu: 100m