nickboldt · December 7, 2024 18:17
diff --git a/get-sbom.sh b/get-sbom.sh
 # To find the SBOM for a given tag:

 # * go to https://quay.io/repository/rhdh/rhdh-hub-rhel9?tab=tags
 # * search for a tag, like 1.4-118. Note the short SHA = 8cfadda9c15f
 # * search for tags matching that SHA, then look for the one ending in .sbom: 
 # * sha256-8cfadda9c15fb0e1a4b0e5f8613d62433f92f42e16f3c7ea63be36bd9e5d2a1f.sbom
 # * pull that image to see the contents of the SBOM

 rm -fr /tmp/sbom; mkdir -p /tmp/sbom
 skopeo copy \
  docker://quay.io/rhdh/rhdh-hub-rhel9:sha256-8cfadda9c15fb0e1a4b0e5f8613d62433f92f42e16f3c7ea63be36bd9e5d2a1f.sbom \
  dir:/tmp/sbom/
 rm -fr /tmp/sbom/{manifest.json,version}
 cd /tmp/sbom/

 # see the files
 ls -1 .
 # now see the json contents of those files
 for f in $(ls); do jq -r '.' $f; done

 # Or search for path-to-regex:

 for f in $(ls); do jq -r '.' $f | grep path-to-regexp; done
 # or to list hits and their associated files
 for f in $(ls); do
  jq -r '.' $f | grep -E "path-to-regexp|/opt/app-root" -A1 | grep -E "path-to-regex" -A5 | grep -E "bom-ref|/opt/app-root"
 done

 # But if we check the golang-based operator for any nodejs problems:

 # * go to https://quay.io/repository/rhdh/rhdh-rhel9-operator?tab=tags
 # * search for tag 1.4-122, which is SHA 92dc1473d537
 # * so the sbom tag is sha256-92dc1473d5372bd0070e183b62715d1616afd1131420f895ea0ee5569e072868.sbom

 rm -fr /tmp/sbom-operator; mkdir -p /tmp/sbom-operator
 skopeo copy \
  docker://quay.io/rhdh/rhdh-rhel9-operator:sha256-92dc1473d5372bd0070e183b62715d1616afd1131420f895ea0ee5569e072868.sbom \
  dir:/tmp/sbom-operator/
 rm -fr /tmp/sbom-operator/{manifest.json,version}
 cd /tmp/sbom-operator/

 for f in $(ls); do jq -r '.' $f; done

 # no results
 for f in $(ls); do jq -r '.' $f | grep path-to-regexp; done 

 # also no results!
 for f in $(ls); do
  jq -r '.' $f | grep -E "path-to-regexp|/opt/app-root" -A1 | grep -E "path-to-regex" -A5 | grep -E "bom-ref|/opt/app-root"
 done 

 # but we do have golang dependencies in the golang-based operator container
 for f in $(ls); do jq -r '.' $f | grep golang; done
	# To find the SBOM for a given tag:

	# * go to https://quay.io/repository/rhdh/rhdh-hub-rhel9?tab=tags
	# * search for a tag, like 1.4-118. Note the short SHA = 8cfadda9c15f
	# * search for tags matching that SHA, then look for the one ending in .sbom:
	# * sha256-8cfadda9c15fb0e1a4b0e5f8613d62433f92f42e16f3c7ea63be36bd9e5d2a1f.sbom
	# * pull that image to see the contents of the SBOM

	rm -fr /tmp/sbom; mkdir -p /tmp/sbom
	skopeo copy \
	docker://quay.io/rhdh/rhdh-hub-rhel9:sha256-8cfadda9c15fb0e1a4b0e5f8613d62433f92f42e16f3c7ea63be36bd9e5d2a1f.sbom \
	dir:/tmp/sbom/
	rm -fr /tmp/sbom/{manifest.json,version}
	cd /tmp/sbom/

	# see the files
	ls -1 .
	# now see the json contents of those files
	for f in $(ls); do jq -r '.' $f; done

	# Or search for path-to-regex:

	for f in $(ls); do jq -r '.' $f \| grep path-to-regexp; done
	# or to list hits and their associated files
	for f in $(ls); do
	jq -r '.' $f \| grep -E "path-to-regexp\|/opt/app-root" -A1 \| grep -E "path-to-regex" -A5 \| grep -E "bom-ref\|/opt/app-root"
	done

	# But if we check the golang-based operator for any nodejs problems:

	# * go to https://quay.io/repository/rhdh/rhdh-rhel9-operator?tab=tags
	# * search for tag 1.4-122, which is SHA 92dc1473d537
	# * so the sbom tag is sha256-92dc1473d5372bd0070e183b62715d1616afd1131420f895ea0ee5569e072868.sbom

	rm -fr /tmp/sbom-operator; mkdir -p /tmp/sbom-operator
	skopeo copy \
	docker://quay.io/rhdh/rhdh-rhel9-operator:sha256-92dc1473d5372bd0070e183b62715d1616afd1131420f895ea0ee5569e072868.sbom \
	dir:/tmp/sbom-operator/
	rm -fr /tmp/sbom-operator/{manifest.json,version}
	cd /tmp/sbom-operator/

	for f in $(ls); do jq -r '.' $f; done

	# no results
	for f in $(ls); do jq -r '.' $f \| grep path-to-regexp; done

	# also no results!
	for f in $(ls); do
	jq -r '.' $f \| grep -E "path-to-regexp\|/opt/app-root" -A1 \| grep -E "path-to-regex" -A5 \| grep -E "bom-ref\|/opt/app-root"
	done

	# but we do have golang dependencies in the golang-based operator container
	for f in $(ls); do jq -r '.' $f \| grep golang; done