New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ODC-7422: Add SBOM link and signed badge in PLR details page #13314
ODC-7422: Add SBOM link and signed badge in PLR details page #13314
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm! Just some missed i18n strings:
frontend/packages/pipelines-plugin/src/components/pipelineruns/PipelineRunDetailsPage.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on https://gist.github.com/karthikjeeyar/d9fe4d12fbbc1d01273c8540b5504d87#file-cve_scan_output_format-yaml-L7, should task.results.format
be that generic (application/json
) ? Because it's not like we are taking any application/json
content, but that json content also need to "comply" to our "contract".
I think that PR is only about the link and the "signed" badge, so that part has no effect, so it's more for another (upcoming or existing ?) PR.
} | ||
|
||
export const getSbomTaskRun = (taskruns: TaskRunKind[]): TaskRunKind => | ||
taskruns?.find( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't read task.results.format
anywhere do we ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right @vdemeester, we dont use format annotations in this PR, it just surfaces the SBOM link and reads annotations. The output tab PR (in dynamic plugin) will be using all other annotations like format, type etc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CVE summary is also JSON based, is that part of this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CVE summary on the pipelinerun list page will be on another PR
04840f9
to
fc7ff98
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As said, it's almost good. Just one thing and one option/question:
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
/test e2e-gcp-console |
@karthikjeeyar to get the /retitle ODC-7422: Add SBOM link and signed badge in PLR details page |
@karthikjeeyar: This pull request references ODC-7422 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code lgtm, and it works as expected (as described).
@vdemeester @burrsutter when your comment is resolved we are happy to merge this.
/lgtm
/label qe-approved |
@karthikjeeyar: This pull request references ODC-7422 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@karthikjeeyar Will you be adding any e2e tests for the change? |
@sanketpathak I have logged a story to cover e2e tests in separate PR |
/retest |
Propagate from the epic /label docs-approved |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jerolimov, karthikjeeyar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@karthikjeeyar: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This result contains the URL to the OCI artifact that stores the SBOM. It is meant primarily to be consumed by RHDH¹ and ODC². The URL follows the format: registry.io/user/image:sha256-hash.sbom Note that this URL is not meant to be used with cosign, as it automatically resolves it when performing a "cosign download sbom registry.io/user/image:actual-tag". [1] janus-idp/backstage-plugins#988 [2] openshift/console#13314 Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
Fixes:
https://issues.redhat.com/browse/ODC-7422
Analysis / Root cause:
UI should surface SBOM information and command to download the sbom. Signed pipelineruns should show the badge next to pipelinerun details page.
Solution Description:
Use taskrun's results to fetch the SBOM information and use the chain's annotation to show the signed badge.
Screen shots / Gifs for design review:
Tooltip on badge hover:
Test setup:
Browser conformance: