producer, example pipeline

components/producers/cdxgen/kustomization.yaml

@@ -28,13 +28,28 @@ patches:
                   - $(params.producer-cdxgen-flags)
               - name: producer-cdxgen-fetch-license
                 value: $(params.producer-cdxgen-fetch-license)
+              - name: producer-cdxgen-github-token
+                value: $(params.producer-cdxgen-github-token)
+              - name: producer-cdxgen-astgen-ignore-file-pattern
+                value: $(params.producer-cdxgen-astgen-ignore-file-pattern)
+              - name: producer-cdxgen-astgen-ignore-dirs
+                value: $(params.producer-cdxgen-astgen-ignore-dirs)
         params:
           - name: producer-cdxgen-flags
             type: array
             default: []
           - name: producer-cdxgen-fetch-license
             type: string
             default: "false"
+          - name: producer-cdxgen-github-token
+            type: string
+            default: ""
+          - name: producer-cdxgen-astgen-ignore-file-pattern
+            type: string
+            default: ""
+          - name: producer-cdxgen-astgen-ignore-dirs
+            type: string
+            default: ""
     target:
       kind: Pipeline
   # Add anchors to Task.
@@ -113,9 +128,16 @@ patches:
         steps:
           - name: run-cdxgen
             image: ghcr.io/cyclonedx/cdxgen:v9.8.10
+            script: node /opt/cdxgen/bin/cdxgen.js -r -p -o /scratch/out.json $(workspaces.source-code-ws.path)/ --spec-version 1.4
             env:
               - name: FETCH_LICENSE
-                value: $(params.cdxgen-fetch-license)
+                value: $(params.producer-cdxgen-fetch-license)
+              - name: GITHUB_TOKEN
+                value: $(params.producer-cdxgen-github-token)
+              - name: ASTGEN_IGNORE_FILE_PATTERN
+                value: $(params.producer-cdxgen-astgen-ignore-file-pattern)
+              - name: ASTGEN_IGNORE_DIRS
+                value: $(params.producer-cdxgen-astgen-ignore-dirs)
               - name: DRACON_SCAN_TIME
                 value: $(params.dracon_scan_start_time)
               - name: DRACON_SCAN_ID

components/producers/cdxgen/task.yaml

@@ -7,59 +7,51 @@ metadata:
     v1.dracon.ocurity.com/component: producer
 spec:
   params:
-  - name: producer-cdxgen-flags
-    type: array
-    default: []
-  - name: producer-cdxgen-fetch-license
-    type: string
-    default: "false"
-  - name: producer-cdxgen-github-token
-    type: string
-    default: ""
-  - name: cdxgen-astgen-ignore-file-pattern
-    type: string
-    default: ""
-  - name: cdxgen-astgen-ignore-dirs
-    type: string
-    default: ""
+    - name: producer-cdxgen-flags
+      type: array
+      default: []
+    - name: producer-cdxgen-fetch-license
+      type: string
+      default: "false"
+    - name: producer-cdxgen-github-token
+      type: string
+      default: ""
+    - name: producer-cdxgen-astgen-ignore-file-pattern
+      type: string
+      default: ""
+    - name: producer-cdxgen-astgen-ignore-dirs
+      type: string
+      default: ""
   volumes:
     - name: scratch
       emptyDir: {}
   workspaces:
     - name: source-code-ws
       description: The workspace containing the source-code to scan.
   steps:
-  - name: run-cdxgen
-    image: ghcr.io/cyclonedx/cdxgen:v9.8.10
-    env:
-      - name: FETCH_LICENSE
-        value: $(params.producer-cdxgen-fetch-license)
-      - name: GITHUB_TOKEN
-        value: $(params.producer-cdxgen-github-token)
-      - name: ASTGEN_IGNORE_FILE_PATTERN
-        value: $(params.producer-cdxgen-astgen-ignore-file-pattern)
-      - name: ASTGEN_IGNORE_DIRS
-        value: $(params.producer-cdxgen-astgen-ignore-dirs)
-    command: ["node", "/opt/cdxgen/bin/cdxgen.js"]
-    args:
-    - "$(params.producer-cdxgen-flags[*])"
-    - --spec-version 1.4
-    - -r
-    - -p
-    - -o
-    - /scratch/out.json
-    - $(workspaces.source-code-ws.path)/
-    volumeMounts:
-    - mountPath: /scratch
-      name: scratch
+    - name: run-cdxgen
+      image: ghcr.io/cyclonedx/cdxgen:v9.8.10
+      env:
+        - name: FETCH_LICENSE
+          value: $(params.producer-cdxgen-fetch-license)
+        - name: GITHUB_TOKEN
+          value: $(params.producer-cdxgen-github-token)
+        - name: ASTGEN_IGNORE_FILE_PATTERN
+          value: $(params.producer-cdxgen-astgen-ignore-file-pattern)
+        - name: ASTGEN_IGNORE_DIRS
+          value: $(params.producer-cdxgen-astgen-ignore-dirs)
+      script: node /opt/cdxgen/bin/cdxgen.js -r -p -o /scratch/out.json $(workspaces.source-code-ws.path)/ --spec-version 1.4
+      volumeMounts:
+        - mountPath: /scratch
+          name: scratch
 
-  - name: produce-issues
-    imagePullPolicy: IfNotPresent
-    image: ghcr.io/ocurity/dracon/components/producers/cdxgen/image:latest
-    command: ["app/components/producers/cdxgen/cdxgen-parser"]
-    args:
-    - "-in=/scratch/out.json"
-    - "-out=$(workspaces.source-code-ws.path)/.dracon/producers/cdxgen.pb"
-    volumeMounts:
-    - mountPath: /scratch
-      name: scratch
+    - name: produce-issues
+      imagePullPolicy: IfNotPresent
+      image: ghcr.io/ocurity/dracon/components/producers/cdxgen/image:latest
+      command: ["app/components/producers/cdxgen/cdxgen-parser"]
+      args:
+        - "-in=/scratch/out.json"
+        - "-out=$(workspaces.source-code-ws.path)/.dracon/producers/cdxgen.pb"
+      volumeMounts:
+        - mountPath: /scratch
+          name: scratch

examples/pipelines/cdxgen-project/BUILD

@@ -0,0 +1,17 @@
+subinclude("//build/defs:dracon")
+
+dracon_pipeline(
+    name = "cdxgen-project",
+    components = [
+        "//components/base:k8s",
+        "//components/consumers/stdout-json:k8s",
+        "//components/enrichers/aggregator:k8s",
+        "//components/enrichers/policy:k8s",
+        "//components/producers/aggregator:k8s",
+        "//components/producers/cdxgen:k8s",
+        "//components/sources/git:k8s",
+    ],
+    kube_context = "//build/k8s/k3d:dracon",
+    kustomization_yaml = "kustomization.yaml",
+    pipelinerun = "pipelinerun/pipelinerun.yaml",
+)

examples/pipelines/cdxgen-project/kustomization.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+nameSuffix: -cdxgen-project
+namespace: dracon
+
+resources:
+  - ../../../components/base
+
+components:
+  - ../../../components/sources/git
+
+  - ../../../components/producers/aggregator
+  - ../../../components/producers/cdxgen
+  - ../../../components/enrichers/aggregator
+  - ../../../components/enrichers/policy
+  - ../../../components/consumers/stdout-json

examples/pipelines/cdxgen-project/pipelinerun/pipelinerun.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: dracon-cdxgen-project-
+  namespace: dracon
+spec:
+  pipelineRef:
+    name: dracon-cdxgen-project
+  params:
+  - name: repository_url
+    value: https://github.com/ocurity/e2e-monorepo.git
+  - name: b64-signature-key
+  # THIS IS AN EXAMPLE, PLEASE USE A PROPERLY SECURED SECRET KEY IN PRODUCTION
+  # Corresponding public key for verification is MOt7TFuLyGB9yRN5mcIeAPa6jKoFglkwEwGBTOVLeXI=
+    value: Lvbo+wAsW8Y4ENBA+lAikOwGTYAIXCQ49eRMEwClv94w63tMW4vIYH3JE3mZwh4A9rqMqgWCWTATAYFM5Ut5cg==
+  workspaces:
+  - name: source-code-ws
+    subPath: source-code
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi

third_party/docker/CycloneDX/cdxgen/BUILD → third_party/docker/cyclonedx/cdxgen/BUILD

@@ -2,7 +2,7 @@ subinclude("//build/defs:buildkit")
 
 buildkit_image_mirror(
     name = "cdxgen",
-    digest = "sha256:736787f469d6a212dfc6e33f7e2da05513fec64607080e02e510348fff5fbafb",
+    digest = "sha256:3e3b983431338a55194e5c0e13b20812958bef8dbc7de60f905c386c054a65de",
     repo = "ghcr.io/cyclonedx/cdxgen",
     tags = ["v9.8.10"],
 )