Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-63194

Konflux tag pipeline fails enterprise contract validation - script runner image not in SBOM

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.21.0
    • 4.21.0
    • HyperShift
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      The Konflux tag pipeline for HyperShift fails enterprise contract validation with the following violation:  Pre-Build-Script task runner image
        "registry.access.redhat.com/ubi10/ubi:10.0-1753787353@sha256:d68f8048fb1ef6eece6dc93173173a1746f5f29014e4ef1c9da39572392a8acf" is not in the SBOM  **Violation Code**: `pre_build_script_task.pre_build_script_task_runner_image_in_sbom`

      Version-Release number of selected component (if applicable):

          n/a

      How reproducible:

          100%

      Steps to Reproduce:

        1. Create a tag in the openshift/hypershift repository (e.g., `v0.1.69`)
        2. Konflux automatically triggers the tag pipeline (`.tekton/hypershift-operator-main-tag.yaml`)
        3. The pipeline runs the `extract-tag` task which uses `run-script-oci-ta` with a script runner image
         

      Actual results:

            4. The enterprise contract validation fails because the script runner image is not included in the SBOM  

      Expected results:

          The enterprise contract validation passes and a release is generated.

      Additional info:

          

              asegurap1@redhat.com Antoni Segura Puimedon
              asegurap1@redhat.com Antoni Segura Puimedon
              None
              None
              He Liu He Liu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: