fix: sbom release issue

Author: andrpac

build/ci/release.yml

@@ -39,10 +39,10 @@ variables:
       SILKBOMB_TAG: "2.0"
       SILKBOMB_REGISTRY: "901841024863.dkr.ecr.us-east-1.amazonaws.com"
       SILKBOMB_IMAGE: "901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0"
-      SILKBOMB_PURLS_FILE: "/pwd/purls.txt"
-      SILKBOMB_SBOM_FILE: "/pwd/sbom.json"
+      SILKBOMB_PURLS_FILE: "purls.txt"
+      SILKBOMB_SBOM_FILE: "sbom.json"
   - &kondukto_config
-      AUGMENTED_SILKBOMB_SBOM_FILE: "/pwd/augmented-sbom.json"
+      AUGMENTED_SILKBOMB_SBOM_FILE: "augmented-sbom.json"
       KONDUKTO_CREDENTIALS_FILE: kondukto_credentials.env
       KONDUKTO_REPO: mongodb_atlas-cli-plugin-kubernetes
       KONDUKTO_BRANCH: test
@@ -125,6 +125,24 @@ functions:
         shell: bash
         script: |
           ./upload-sbom.sh
+  "move sboms":
+    - command: shell.exec
+      params:
+        shell: bash
+        working_dir: src/github.com/mongodb/atlas-cli-plugin-kubernetes
+        script: |
+          if [[ ! -f ./build/package/sbom.json ]]; then
+            echo "ERROR: sbom.json not found in ./build/package/"
+            exit 1
+          fi
+          if [[ ! -f ./build/package/augmented-sbom.json ]]; then
+            echo "ERROR: augmented-sbom.json not found in ./build/package/"
+            exit 1
+          fi
+
+          mv ./build/package/sbom.json sbom.json
+          mv ./build/package/augmented-sbom.json augmented-sbom.json
+          echo "Moved SBOMs to repository root."
   "package":
     - command: github.generate_token
       params:
@@ -226,6 +244,7 @@ tasks:
     commands:
       - func: "generate sbom"
       - func: "upload sbom"
+      - func: "move sboms"
   - name: test-trace
     tags: ["code_health"]
     allowed_requesters: ["patch"]
@@ -253,6 +272,7 @@ tasks:
       - func: "generate sbom"
       - func: "upload sbom"
       - func: "generate notices"
+      - func: "move sboms"
       - func: "install goreleaser"
       - func: "install macos notarization service"
       - func: "install gh-token"

build/package/generate-sbom.sh

@@ -20,7 +20,10 @@ set -Eeou pipefail
 : "${SILKBOMB_PURLS_FILE:?Missing SILKBOMB_PURLS_FILE}"
 : "${SILKBOMB_SBOM_FILE:?Missing SILKBOMB_SBOM_FILE}"
 
-# Check if SILKBOMB_IMAGE is set and available locally
+# Resolve absolute path of the purls file directory
+PURLS_DIR="$(cd "$(dirname "${SILKBOMB_PURLS_FILE}")" && pwd)"
+
+# Check if image exists locally
 if podman image exists "${SILKBOMB_IMAGE}"; then
   echo "Using existing local image: ${SILKBOMB_IMAGE}"
 else # Else image will need to be pulled from AWS registry
@@ -37,10 +40,10 @@ fi
 echo "Generating SBOMs with image: ${SILKBOMB_IMAGE}"
 podman run --rm \
   --pull=missing \
-  -v "$(pwd):/pwd" \
+  -v "${PURLS_DIR}:/pwd" \
   "${SILKBOMB_IMAGE}" \
   update \
-  --purls "${SILKBOMB_PURLS_FILE}" \
-  --sbom-out "${SILKBOMB_SBOM_FILE}"
+  --purls "/pwd/$(basename "${SILKBOMB_PURLS_FILE}")" \
+  --sbom-out "/pwd/$(basename "${SILKBOMB_SBOM_FILE}")"
 
 echo "SBOM generated at ${SILKBOMB_SBOM_FILE}"

build/package/upload-sbom.sh

@@ -22,6 +22,9 @@ set -Eeou pipefail
 : "${KONDUKTO_REPO:?Missing KONDUKTO_REPO}"
 : "${KONDUKTO_BRANCH:?Missing KONDUKTO_BRANCH}"
 
+# Resolve the absolute directory containing the SBOM file
+SBOM_DIR="$(cd "$(dirname "${SILKBOMB_SBOM_FILE}")" && pwd)"
+
 # load the token
 if [[ ! -s "${KONDUKTO_CREDENTIALS_FILE}" ]]; then
   echo "ERROR: credentials file is missing or empty: ${KONDUKTO_CREDENTIALS_FILE}" >&2
@@ -41,28 +44,28 @@ else # Else image will need to be pulled from AWS registry
     podman login --username AWS --password-stdin "${SILKBOMB_REGISTRY}"
 fi
 
-# Note, augment by default uploads to Kondukto
-if [[ -n "${AUGMENTED_SILKBOMB_SBOM_FILE}" ]]; then
+# Upload or augment
+if [[ -n "${AUGMENTED_SILKBOMB_SBOM_FILE:-}" ]]; then
   echo "Uploading SBOM to Kondukto and outputting augmented version..."
   podman run --rm \
     --pull=missing \
-    -v "$(pwd):/pwd" \
+    -v "${SBOM_DIR}:/pwd" \
     --env-file "${KONDUKTO_CREDENTIALS_FILE}" \
     "${SILKBOMB_IMAGE}" \
     augment \
-    --sbom-in "${SILKBOMB_SBOM_FILE}" \
-    --sbom-out "${AUGMENTED_SILKBOMB_SBOM_FILE}" \
+    --sbom-in "/pwd/$(basename "${SILKBOMB_SBOM_FILE}")" \
+    --sbom-out "/pwd/$(basename "${AUGMENTED_SILKBOMB_SBOM_FILE}")" \
     --repo "${KONDUKTO_REPO}" \
     --branch "${KONDUKTO_BRANCH}"
 else
   echo "Uploading SBOM to Kondukto..."
   podman run --rm \
     --pull=missing \
-    -v "$(pwd):/pwd" \
+    -v "${SBOM_DIR}:/pwd" \
     --env-file "${KONDUKTO_CREDENTIALS_FILE}" \
     "${SILKBOMB_IMAGE}" \
     upload \
-    --sbom-in "${SILKBOMB_SBOM_FILE}" \
+    --sbom-in "/pwd/$(basename "${SILKBOMB_SBOM_FILE}")" \
     --repo "${KONDUKTO_REPO}" \
     --branch "${KONDUKTO_BRANCH}"
 fi