diff --git a/doozer/doozerlib/backend/konflux_image_builder.py b/doozer/doozerlib/backend/konflux_image_builder.py index 50acbfae3..e46e83d8b 100644 --- a/doozer/doozerlib/backend/konflux_image_builder.py +++ b/doozer/doozerlib/backend/konflux_image_builder.py @@ -16,6 +16,7 @@ from kubernetes.client import Configuration from kubernetes.dynamic import DynamicClient, exceptions, resource from ruamel.yaml import YAML +from packageurl import PackageURL from artcommonlib.exectools import limit_concurrency from doozerlib import constants @@ -261,11 +262,19 @@ async def _get_for_arch(arch): sbom_contents = json.loads(stdout) source_rpms = set() for x in sbom_contents["components"]: - if x["bom-ref"].startswith("pkg:rpm"): - for i in x["properties"]: - if i["name"] == "syft:metadata:sourceRpm": - source_rpms.add(i["value"].rstrip(".src.rpm")) - break + # konflux generates sbom in cyclonedx schema: https://cyclonedx.org + # sbom uses purl or package-url convention https://github.com/package-url/purl-spec + # example: pkg:rpm/rhel/coreutils-single@8.32-35.el9?arch=x86_64&upstream=coreutils-8.32-35.el9.src.rpm&distro=rhel-9.4 + # https://github.com/package-url/packageurl-python does not support purl schemes other than "pkg" + # so filter them out + if x["purl"].startswith("pkg:"): + purl = PackageURL.from_string(x["purl"]) + # right now, we only care about rpms + if purl.type == "rpm": + # get the source rpm + source_rpm = purl.qualifiers.get("upstream", None) + if source_rpm: + source_rpms.add(source_rpm.rstrip(".src.rpm")) return source_rpms results = await asyncio.gather(*(_get_for_arch(arch) for arch in arches)) diff --git a/doozer/requirements.txt b/doozer/requirements.txt index ea159ef1b..d1ee0d3a6 100644 --- a/doozer/requirements.txt +++ b/doozer/requirements.txt @@ -29,3 +29,4 @@ aiohttp jira>=3.4.1 ghapi zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability +packageurl-python