Skip to content

USHIFT-6920: feat: add crypto_scan auto-rebase for cbom generation#7051

Open
fracappa wants to merge 1 commit into
openshift:mainfrom
fracappa:fca/add-ushift-cbom
Open

USHIFT-6920: feat: add crypto_scan auto-rebase for cbom generation#7051
fracappa wants to merge 1 commit into
openshift:mainfrom
fracappa:fca/add-ushift-cbom

Conversation

@fracappa

@fracappa fracappa commented Jul 15, 2026

Copy link
Copy Markdown

added auto-rebase crypto_scan.sh script for cbom generation. This script uses crypto-scanner-iamge to generate a CycloneDX document. It also provides a SPDX one, by implementing the mapping suggested by the prod sec team.

Summary by CodeRabbit

  • New Features
    • Added an automated cryptographic scanning workflow that generates cryptographic inventory artifacts from the source tree.
    • Produces both CBOM (JSON) and SPDX 2.3 (JSON) reports, including cryptographic properties and component relationship mapping.
  • Automation / Improvements
    • Enhanced the rebase job to optionally run the scan after rebasing, detect changes to the generated reports, and auto-stage and commit updates when needed.
    • Scan failures degrade gracefully by not blocking the rebase process.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 15, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 15, 2026

Copy link
Copy Markdown

@fracappa: This pull request references USHIFT-6920 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

added auto-rebase crypto_scan.sh script for cbom generation. This script uses crypto-scanner-iamge to generate a CycloneDX document. It also provides a SPDX one, by implementing the mapping suggested by the prod sec team.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
openshift-ci Bot requested review from eslutsky and jogeo July 15, 2026 07:56
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fracappa
Once this PR has been reviewed and has the lgtm label, please assign jogeo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

The PR adds an optional rebase-job crypto scan that stages selected MicroShift sources, runs a containerized scanner, generates CBOM and SPDX 2.3 JSON artifacts, and commits changed outputs.

Changes

Cryptographic artifact workflow

Layer / File(s) Summary
Configure and stage scan inputs
scripts/auto-rebase/crypto_scan.sh
The script configures paths, pulls the scanner image with Podman, creates a temporary workspace, and stages selected source directories.
Generate and convert artifacts
scripts/auto-rebase/crypto_scan.sh
The containerized scanner writes CBOM JSON, which jq converts to SPDX 2.3 JSON with component cryptographic properties and package relationships.
Integrate with the rebase job
scripts/auto-rebase/rebase_job_entrypoint.sh
When CRYPTO_SCAN=true, the rebase job runs the scan, detects changes to both outputs, stages them, and commits the updates.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant RebaseJob
  participant CryptoScan
  participant Podman
  participant CryptoScanner
  participant JQ
  participant Git

  RebaseJob->>CryptoScan: Run when CRYPTO_SCAN=true
  CryptoScan->>Podman: Pull scanner image
  CryptoScan->>CryptoScanner: Scan staged source trees
  CryptoScanner-->>CryptoScan: Write CBOM JSON
  CryptoScan->>JQ: Convert CBOM to SPDX 2.3
  JQ-->>CryptoScan: Write SPDX JSON
  RebaseJob->>Git: Stage and commit changed artifacts
Loading

Suggested reviewers: jogeo


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error rebase_job_entrypoint.sh uses set -x and printenv, which can dump secrets; crypto_scan.sh also logs the internal scanner image hostname. Remove env dumping/tracing in CI logs and avoid echoing internal registry/image hostnames; keep only non-sensitive status messages.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding auto-rebase crypto scan support for CBOM generation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo tests were added or modified; the diff only touches two shell scripts and contains no It/Describe/Context/When titles.
Test Structure And Quality ✅ Passed No Ginkgo test files changed; the PR only adds/updates shell scripts, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR changes only add auto-rebase shell scripts; no new Ginkgo tests or OpenShift API usages were introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; only two shell scripts changed, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only auto-rebase shell scripts changed; no manifests, controllers, or scheduling constraints/topology logic were introduced.
Ote Binary Stdout Contract ✅ Passed PASS — PR only adds rebase shell scripts; no OTE binary/process-level Go entrypoints or JSON-on-stdout test code were changed.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes shell scripts under scripts/auto-rebase.
No-Weak-Crypto ✅ Passed New scripts only orchestrate crypto scanning; they contain no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed Changed scripts contain no K8s/container privilege fields; crypto_scan.sh uses plain podman run --rm with a volume mount only.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 38: In scripts/auto-rebase/crypto_scan.sh, replace the CBOM status
command substitution at lines 38-38 with separate echo and ls commands, then
apply the same change to the SPDX status output at lines 79-79: echo the
generated-file label first and run ls -lh on the corresponding output variable
separately so failures propagate.
- Line 25: Update the EXIT trap command in crypto_scan.sh to preserve quoting
around SCAN_DIR when the deferred cleanup runs, ensuring rm -rf handles paths
containing spaces safely.
- Around line 1-5: Update the script header to use the /usr/bin/bash shebang,
remove the shellcheck disable directive, and consolidate the separate errexit,
nounset, and pipefail settings into a single set -euo pipefail command.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a283846f-6ebb-4d10-89eb-1fb49d0e47df

📥 Commits

Reviewing files that changed from the base of the PR and between 25d93a1 and 947fd1d.

📒 Files selected for processing (2)
  • scripts/auto-rebase/crypto_scan.sh
  • scripts/auto-rebase/rebase_job_entrypoint.sh

Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
@fracappa
fracappa force-pushed the fca/add-ushift-cbom branch 2 times, most recently from 711e3fe to 494416a Compare July 15, 2026 10:39

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
scripts/auto-rebase/crypto_scan.sh (1)

42-42: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Avoid swallowed errors in command substitutions.

Both lines use command substitutions that mask failures because errexit is not inherited by default. Based on learnings, restructure to avoid the substitution so errors are caught.

  • scripts/auto-rebase/crypto_scan.sh#L42-L42: Replace with echo "CBOM generated:" followed by ls -lh "${CBOM_OUTPUT}" on a new line.
  • scripts/auto-rebase/crypto_scan.sh#L83-L83: Replace with echo "SPDX generated:" followed by ls -lh "${SPDX_OUTPUT}" on a new line.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/auto-rebase/crypto_scan.sh` at line 42, In
scripts/auto-rebase/crypto_scan.sh at lines 42-42 and 83-83, remove the ls
command substitutions from the CBOM and SPDX status messages. In the CBOM
generation flow, print “CBOM generated:” first, then run ls -lh against
CBOM_OUTPUT on the next line; similarly, print “SPDX generated:” first, then run
ls -lh against SPDX_OUTPUT on the next line so failures propagate.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 12: Update the EXIT trap command to use single quotes around the trap
body and double-quote IMAGE_DIR, SCANNER_DIR, and SCAN_DIR within it, preventing
early expansion and safely handling paths containing spaces.

---

Duplicate comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 42: In scripts/auto-rebase/crypto_scan.sh at lines 42-42 and 83-83,
remove the ls command substitutions from the CBOM and SPDX status messages. In
the CBOM generation flow, print “CBOM generated:” first, then run ls -lh against
CBOM_OUTPUT on the next line; similarly, print “SPDX generated:” first, then run
ls -lh against SPDX_OUTPUT on the next line so failures propagate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5676ec02-b50f-4b9c-b3e5-1c493893d6e2

📥 Commits

Reviewing files that changed from the base of the PR and between 494416a and d4b1e1d.

📒 Files selected for processing (1)
  • scripts/auto-rebase/crypto_scan.sh

Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
@fracappa
fracappa force-pushed the fca/add-ushift-cbom branch from d4b1e1d to 494416a Compare July 15, 2026 13:36
Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
"${SCANNER_IMAGE}" \
/workspace > "${CBOM_OUTPUT}"

echo "CBOM generated: $(ls -lh "${CBOM_OUTPUT}")"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need some err handling if the scan fails

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eslutsky thanks!
I added it, just let me know if any other change is required


SCANNER_IMAGE="images.paas.redhat.com/exd-sp-guild-security/rh-crypto-scanner-image:latest"
REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../..")"
CBOM_OUTPUT="${REPOROOT}/cbom-microshift.json"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to commit it to the root ?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spoke with @pacevedom and we agreed to push it on the root directory, but feel free to provide any suggestion if you believe there could be better places

@fracappa
fracappa force-pushed the fca/add-ushift-cbom branch 2 times, most recently from 5b39562 to b35283f Compare July 17, 2026 07:25

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 25: Update the EXIT trap in crypto_scan.sh to quote the SCAN_DIR
expansion when removing the directory, ensuring paths containing spaces are
handled safely.
- Line 2: Update the shell options declaration at the start of crypto_scan.sh to
enable errexit by using set -euo pipefail, preserving the existing nounset and
pipefail behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e1125759-c7f9-4cf4-af27-d44b3e1a0791

📥 Commits

Reviewing files that changed from the base of the PR and between d4b1e1d and b35283f.

📒 Files selected for processing (2)
  • scripts/auto-rebase/crypto_scan.sh
  • scripts/auto-rebase/rebase_job_entrypoint.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • scripts/auto-rebase/rebase_job_entrypoint.sh

Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
Comment thread scripts/auto-rebase/crypto_scan.sh Outdated
added auto-rebase crypto_scan.sh script for cbom generation.
This script uses crypto-scanner-iamge to generate a CycloneDX
document. It also provides a SPDX one, by implementing the mapping
suggested by the prod sec team.
@fracappa
fracappa force-pushed the fca/add-ushift-cbom branch from 76b6dbf to 4016fc6 Compare July 17, 2026 08:44
@fracappa

Copy link
Copy Markdown
Author

/retest-required

@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@fracappa: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-tests-bootc-el10 4016fc6 link true /test e2e-aws-tests-bootc-el10

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants