Skip to content

USHIFT-6920: feat: add crypto_scan auto-rebase for cbom generation#7051

Open
fracappa wants to merge 1 commit into
openshift:mainfrom
fracappa:fca/add-ushift-cbom
Open

USHIFT-6920: feat: add crypto_scan auto-rebase for cbom generation#7051
fracappa wants to merge 1 commit into
openshift:mainfrom
fracappa:fca/add-ushift-cbom

Conversation

@fracappa

@fracappa fracappa commented Jul 15, 2026

Copy link
Copy Markdown

added auto-rebase crypto_scan.sh script for cbom generation. This script uses crypto-scanner-iamge to generate a CycloneDX document. It also provides a SPDX one, by implementing the mapping suggested by the prod sec team.

Summary by CodeRabbit

  • New Features
    • Added an automated cryptographic scanning workflow to generate cryptographic inventory artifacts from the source tree.
    • Produces both CBOM (JSON) and SPDX 2.3 (JSON) reports with cryptographic properties and component relationships.
    • Enhanced the rebase job to run the scan, detect changes to the generated reports, and automatically stage and commit updates when needed.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 15, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 15, 2026

Copy link
Copy Markdown

@fracappa: This pull request references USHIFT-6920 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

added auto-rebase crypto_scan.sh script for cbom generation. This script uses crypto-scanner-iamge to generate a CycloneDX document. It also provides a SPDX one, by implementing the mapping suggested by the prod sec team.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from eslutsky and jogeo July 15, 2026 07:56
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fracappa
Once this PR has been reviewed and has the lgtm label, please assign jogeo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

The PR adds a strict Bash crypto-scan workflow that stages selected MicroShift sources, extracts a scanner image with skopeo, generates CBOM and SPDX 2.3 JSON artifacts, and commits changed outputs from the rebase job.

Changes

Cryptographic artifact generation

Layer / File(s) Summary
Prepare scanner and scan workspace
scripts/auto-rebase/crypto_scan.sh
The script configures temporary paths, downloads and extracts the scanner image with skopeo, and stages selected source directories.
Generate and convert cryptographic artifacts
scripts/auto-rebase/crypto_scan.sh
The extracted scanner writes CBOM JSON, which jq converts to SPDX 2.3 JSON with component cryptographic properties and package relationships.
Commit changed artifacts
scripts/auto-rebase/rebase_job_entrypoint.sh
The rebase job runs the scan, detects changes to both generated files, and commits them.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant RebaseJob
  participant CryptoScan
  participant Skopeo
  participant CryptoScanner
  participant JQ
  participant Git

  RebaseJob->>CryptoScan: Run crypto scan
  CryptoScan->>Skopeo: Download scanner image
  Skopeo-->>CryptoScan: Provide scanner layers
  CryptoScan->>CryptoScanner: Scan staged MicroShift sources
  CryptoScanner-->>CryptoScan: Write CBOM JSON
  CryptoScan->>JQ: Transform CBOM to SPDX 2.3
  JQ-->>CryptoScan: Write SPDX JSON
  RebaseJob->>Git: Stage and commit changed artifacts
Loading

Suggested reviewers: jogeo, eslutsky

🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the new crypto_scan auto-rebase workflow for CBOM generation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 38: In scripts/auto-rebase/crypto_scan.sh, replace the CBOM status
command substitution at lines 38-38 with separate echo and ls commands, then
apply the same change to the SPDX status output at lines 79-79: echo the
generated-file label first and run ls -lh on the corresponding output variable
separately so failures propagate.
- Line 25: Update the EXIT trap command in crypto_scan.sh to preserve quoting
around SCAN_DIR when the deferred cleanup runs, ensuring rm -rf handles paths
containing spaces safely.
- Around line 1-5: Update the script header to use the /usr/bin/bash shebang,
remove the shellcheck disable directive, and consolidate the separate errexit,
nounset, and pipefail settings into a single set -euo pipefail command.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a283846f-6ebb-4d10-89eb-1fb49d0e47df

📥 Commits

Reviewing files that changed from the base of the PR and between 25d93a1 and 947fd1d.

📒 Files selected for processing (2)
  • scripts/auto-rebase/crypto_scan.sh
  • scripts/auto-rebase/rebase_job_entrypoint.sh

Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
# findings already covered by "vendor/".
# We stage a scan directory with only the sources we want scanned.
SCAN_DIR=$(mktemp -d)
trap "rm -rf ${SCAN_DIR}" EXIT

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Quote variables in trap command.

The double-quoted string evaluates ${SCAN_DIR} without quotes in the resulting command, which will fail if the path contains spaces. As per coding guidelines, shell scripts must quote all variables.

Proposed fix
-trap "rm -rf ${SCAN_DIR}" EXIT
+trap 'rm -rf "${SCAN_DIR}"' EXIT
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
trap "rm -rf ${SCAN_DIR}" EXIT
trap 'rm -rf "${SCAN_DIR}"' EXIT
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/auto-rebase/crypto_scan.sh` at line 25, Update the EXIT trap command
in crypto_scan.sh to preserve quoting around SCAN_DIR when the deferred cleanup
runs, ensuring rm -rf handles paths containing spaces safely.

Source: Coding guidelines

"${SCANNER_IMAGE}" \
/workspace > "${CBOM_OUTPUT}"

echo "CBOM generated: $(ls -lh "${CBOM_OUTPUT}")"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Avoid swallowed errors in command substitutions.

Both of these lines use command substitutions that mask failures because errexit is not inherited by default. Based on learnings, restructure to avoid the substitution so errors are caught.

  • scripts/auto-rebase/crypto_scan.sh#L38-L38: Replace with echo "CBOM generated:" followed by ls -lh "${CBOM_OUTPUT}" on a new line.
  • scripts/auto-rebase/crypto_scan.sh#L79-L79: Replace with echo "SPDX generated:" followed by ls -lh "${SPDX_OUTPUT}" on a new line.
📍 Affects 1 file
  • scripts/auto-rebase/crypto_scan.sh#L38-L38 (this comment)
  • scripts/auto-rebase/crypto_scan.sh#L79-L79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/auto-rebase/crypto_scan.sh` at line 38, In
scripts/auto-rebase/crypto_scan.sh, replace the CBOM status command substitution
at lines 38-38 with separate echo and ls commands, then apply the same change to
the SPDX status output at lines 79-79: echo the generated-file label first and
run ls -lh on the corresponding output variable separately so failures
propagate.

Source: Learnings

@fracappa fracappa force-pushed the fca/add-ushift-cbom branch from d51d57d to 08c01c1 Compare July 15, 2026 09:02
added auto-rebase crypto_scan.sh script for cbom generation.
This script uses crypto-scanner-iamge to generate a CycloneDX
document. It also provides a SPDX one, by implementing the mapping
suggested by the prod sec team.
@fracappa fracappa force-pushed the fca/add-ushift-cbom branch from 711e3fe to 494416a Compare July 15, 2026 10:39

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
scripts/auto-rebase/crypto_scan.sh (1)

42-42: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Avoid swallowed errors in command substitutions.

Both lines use command substitutions that mask failures because errexit is not inherited by default. Based on learnings, restructure to avoid the substitution so errors are caught.

  • scripts/auto-rebase/crypto_scan.sh#L42-L42: Replace with echo "CBOM generated:" followed by ls -lh "${CBOM_OUTPUT}" on a new line.
  • scripts/auto-rebase/crypto_scan.sh#L83-L83: Replace with echo "SPDX generated:" followed by ls -lh "${SPDX_OUTPUT}" on a new line.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/auto-rebase/crypto_scan.sh` at line 42, In
scripts/auto-rebase/crypto_scan.sh at lines 42-42 and 83-83, remove the ls
command substitutions from the CBOM and SPDX status messages. In the CBOM
generation flow, print “CBOM generated:” first, then run ls -lh against
CBOM_OUTPUT on the next line; similarly, print “SPDX generated:” first, then run
ls -lh against SPDX_OUTPUT on the next line so failures propagate.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 12: Update the EXIT trap command to use single quotes around the trap
body and double-quote IMAGE_DIR, SCANNER_DIR, and SCAN_DIR within it, preventing
early expansion and safely handling paths containing spaces.

---

Duplicate comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 42: In scripts/auto-rebase/crypto_scan.sh at lines 42-42 and 83-83,
remove the ls command substitutions from the CBOM and SPDX status messages. In
the CBOM generation flow, print “CBOM generated:” first, then run ls -lh against
CBOM_OUTPUT on the next line; similarly, print “SPDX generated:” first, then run
ls -lh against SPDX_OUTPUT on the next line so failures propagate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5676ec02-b50f-4b9c-b3e5-1c493893d6e2

📥 Commits

Reviewing files that changed from the base of the PR and between 494416a and d4b1e1d.

📒 Files selected for processing (1)
  • scripts/auto-rebase/crypto_scan.sh

Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
IMAGE_DIR=$(mktemp -d)
SCANNER_DIR=$(mktemp -d)
SCAN_DIR=$(mktemp -d)
trap "rm -rf ${IMAGE_DIR} ${SCANNER_DIR} ${SCAN_DIR}" EXIT

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Quote variables in trap command.

As per coding guidelines and Shellcheck (SC2064), use single quotes for the trap command and double-quote the variables inside to prevent early expansion and properly handle paths with spaces.

🐛 Proposed fix
-trap "rm -rf ${IMAGE_DIR} ${SCANNER_DIR} ${SCAN_DIR}" EXIT
+trap 'rm -rf "${IMAGE_DIR}" "${SCANNER_DIR}" "${SCAN_DIR}"' EXIT
🧰 Tools
🪛 Shellcheck (0.11.0)

[warning] 12-12: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)


[warning] 12-12: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)


[warning] 12-12: Use single quotes, otherwise this expands now rather than when signalled.

(SC2064)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/auto-rebase/crypto_scan.sh` at line 12, Update the EXIT trap command
to use single quotes around the trap body and double-quote IMAGE_DIR,
SCANNER_DIR, and SCAN_DIR within it, preventing early expansion and safely
handling paths containing spaces.

Sources: Coding guidelines, Linters/SAST tools

@fracappa fracappa force-pushed the fca/add-ushift-cbom branch from d4b1e1d to 494416a Compare July 15, 2026 13:36
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@fracappa: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/test-rebase 494416a link false /test test-rebase
ci/prow/verify 494416a link true /test verify
ci/prow/e2e-aws-tests-bootc-arm-el9 494416a link true /test e2e-aws-tests-bootc-arm-el9

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants