ODC-7422: Add SBOM link and signed badge in PLR details page #13314
Conversation
openshift-ci
bot
added
kind/i18n
openshift-ci
bot
requested review from
jeff-phillips-18,
MariaLeonova and
vikram-raj
frontend/packages/pipelines-plugin/src/components/pipelineruns/PipelineRunDetailsPage.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Based on https://gist.github.com/karthikjeeyar/d9fe4d12fbbc1d01273c8540b5504d87#file-cve_scan_output_format-yaml-L7, should task.results.format be that generic (application/json) ? Because it's not like we are taking any application/json content, but that json content also need to "comply" to our "contract".
I think that PR is only about the link and the "signed" badge, so that part has no effect, so it's more for another (upcoming or existing ?) PR.
| } | ||
|
|
||
| export const getSbomTaskRun = (taskruns: TaskRunKind[]): TaskRunKind => | ||
| taskruns?.find( |
There was a problem hiding this comment.
We don't read task.results.format anywhere do we ?
There was a problem hiding this comment.
You are right @vdemeester, we dont use format annotations in this PR, it just surfaces the SBOM link and reads annotations. The output tab PR (in dynamic plugin) will be using all other annotations like format, type etc
There was a problem hiding this comment.
The CVE summary is also JSON based, is that part of this PR?
There was a problem hiding this comment.
CVE summary on the pipelinerun list page will be on another PR
karthikjeeyar
force-pushed
the
sbom-plr-details
branch
from
04840f9
to
fc7ff98
Compare
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
...s/pipelines-plugin/src/components/pipelineruns/detail-page-tabs/PipelineRunCustomDetails.tsx
Outdated
Show resolved
Hide resolved
|
/test e2e-gcp-console |
|
@karthikjeeyar to get the /retitle ODC-7422: Add SBOM link and signed badge in PLR details page |
openshift-ci
bot
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@karthikjeeyar: This pull request references ODC-7422 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
There was a problem hiding this comment.
Code lgtm, and it works as expected (as described).
@vdemeester @burrsutter when your comment is resolved we are happy to merge this.
/lgtm
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
@karthikjeeyar: This pull request references ODC-7422 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@karthikjeeyar Will you be adding any e2e tests for the change? |
|
@sanketpathak I have logged a story to cover e2e tests in separate PR |
|
/retest |
|
Propagate from the epic /label docs-approved |
openshift-ci
bot
added
docs-approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jerolimov, karthikjeeyar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@karthikjeeyar: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This result contains the URL to the OCI artifact that stores the SBOM. It is meant primarily to be consumed by RHDH¹ and ODC². The URL follows the format: registry.io/user/image:sha256-hash.sbom Note that this URL is not meant to be used with cosign, as it automatically resolves it when performing a "cosign download sbom registry.io/user/image:actual-tag". [1] janus-idp/backstage-plugins#988 [2] openshift/console#13314 Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
Fixes:
https://issues.redhat.com/browse/ODC-7422
Analysis / Root cause:
UI should surface SBOM information and command to download the sbom. Signed pipelineruns should show the badge next to pipelinerun details page.
Solution Description:
Use taskrun's results to fetch the SBOM information and use the chain's annotation to show the signed badge.
Screen shots / Gifs for design review:
Tooltip on badge hover:
Test setup:
Browser conformance: