smoser · September 13, 2024 14:10
diff --git a/README.md b/README.md
diff --git a/get-manifest b/get-manifest
 get-sbom
diff --git a/get-pkglist b/get-pkglist
 get-sbom
diff --git a/get-sbom b/get-sbom
 #!/bin/sh
 # from
 # https://edu.chainguard.dev/chainguard/chainguard-images/images-features/retrieve-image-sboms/
 Usage() {
    cat <<EOF
 ${0##*/} url

   download the sbom from url

 $ ${0##*/} k3d-k3d.localhost:5005/busybox:latest
 EOF
 }

 rq() {
    local rc=""
    "$@" && return 0
    rc=$?
    echo "failed [$rc] $*" 1>&2
    return $rc
 }

 sbom_to_manifest() {
    local rc=1 tmpf=""
    tmpf=$(mktemp) || return 1

    jq  -r '
        .packages.[] |
            select(.name | startswith("sha256:") | not) |
            select(.SPDXID | startswith("SPDXRef-Package")) |
        .name  + "\t" + .versionInfo' > "$tmpf" && 
        sort < "$tmpf" && rc=0
    rm -f "$tmpf"
    return $rc
 }

 get_sbom() {
    local url="$1" tmpd="" rc=99
    tmpd=$(mktemp -d) || return 1
    rq \
      cosign download attestation \
        --platform=linux/amd64 \
        --predicate-type=https://spdx.dev/Document \
        "$url" > "$tmpd/raw" &&
        jq -r .payload < "$tmpd/raw" > "$tmpd/payload.b64" &&
        base64 -d <"$tmpd/payload.b64" > "$tmpd/payload" &&
        jq .predicate < "$tmpd/payload" &&
        rc=0
    rm -Rf "$tmpd"
    return $rc
 }

 [ $# -eq 0 ] && { Usage 1>&2; exit 1; }
 [ "$1" = "-h" -o "$1" = "--help" ] && { Usage ; exit 0; }

 mode=""
 case "$1" in
    get-sbom|sbom-to-manifest|get-manifest)
        mode="$1"
        shift;;
 esac

 if [ -z "$mode" ]; then
    case "${0##*/}" in
        get-sbom|sbom-to-manifest|get-manifest)
            mode="${0##*/}";;
    esac
 fi

 [ -n "$mode" ] ||
    { Usage; echo "Could not find mode for $0/$1"; exit 1; } 1>&2

 case "$mode" in
    get-sbom) get_sbom "$@";;
    get-manifest) get_sbom "$@" | sbom_to_manifest;;
    sbom_to_manifest) sbom_to_manifest;;
    *) echo "unknown mode '$mode'"; exit 1;;
 esac
diff --git a/image-history b/image-history
 #!/bin/bash
 show_help() {
    echo ""
    echo "Usage: $0 image-stream-base-uri image-stream-version"
    echo "       $0 cgr.dev/chainguard-private/python 3.9"
    echo ""
    echo "Options:"
    echo "  --platform          Specifies the platform in the form os/arch[/variant][:osversion] (default: linux/amd64)"
    echo "  --image-ref-type    tags | digests (default: tags)"
    echo "  -h, --help          Display this help message and exit"
    echo ""
 }
 if [ $# -ne 2 ]; then
    show_help
    exit 1
 fi
 # Formatting variables
 normal="\e[0m"  # Normal text
 #green="\e[32m"  # Green
 #red="\e[31m"    # Red
 #yellow="\e[33m"    # Yellow
 #blue="\e[34m"   # Blue
 purple="\e[35m"   # Purple
 #cyan="\e[36m"
 #lightgrey="\e[37m"
 #
 repository="$1"
 version="$2"
 # Removing cgr.dev/
 repository=${1#cgr.dev/}
 # Fetch history using the provided parameters
 tok=$(crane auth token -H "cgr.dev/$repository")
 history=$(curl -s -H "$tok" "https://cgr.dev/v2/$repository/_chainguard/history/$version")
 IFS=$'\n' read -r -d '' -a historyapidigestarray <<< $(echo "$history" | jq -r '.history[].digest')
 echo ""
 echo "History API digests found: ${#historyapidigestarray[@]}"
 echo "oldest:"
 echo -n "  - timestamp: "
 echo "$history" | jq -r '.history[0].updateTimestamp'
 echo "newest:"
 echo -n "  - timestamp: "
 echo "$history" | jq -r '.history[-1].updateTimestamp'
 for ((i=${#historyapidigestarray[@]}-1; i>=0; i--)); do
    mfdigest=${historyapidigestarray[$i]}
    timestamp=$(echo "$history" | jq -r ".history[$i].updateTimestamp")
    frepo="cgr.dev/$repository"
    MULTIARCHIMAGE="$frepo@$mfdigest"
    mfblob=$(crane manifest "$MULTIARCHIMAGE")
    case "$mfblob" in
        *\"manifests\":*)
            archmfdigest=$(echo "$mfblob" | 
               jq -r '.manifests[] | select (.platform.architecture=="amd64") | .digest')
            archmfblob=$(crane manifest "$frepo@$archmfdigest")
            ;;
        "") echo "error: $MULTIARCHIMAGE seems wrong";;
        *) archmfdigest="$mfdigest"
           archmfblob=$mfblob
           ;;
    esac
    AMD64IMAGE="cgr.dev/$repository@$archmfdigest"
    echo -ne "[$i]: ${purple}$timestamp${normal}\n"
    if [ "$archmfdigest" != "$mfdigest" ]; then
        echo -ne "Multi-Arch Image: ${purple}$MULTIARCHIMAGE${normal}\n"
    else
        continue
    fi
    echo -ne "AMD64 Image: ${purple}$frepo@${archmfdigest}${normal}\n"
    #get-pkglist --single-arch "$frepo@${archmfdigest}"
 done
diff --git a/sbom-to-manifest b/sbom-to-manifest
 get-sbom
	#!/bin/sh
	# from
	# https://edu.chainguard.dev/chainguard/chainguard-images/images-features/retrieve-image-sboms/
	Usage() {
	cat <<EOF
	${0##*/} url

	download the sbom from url

	$ ${0##*/} k3d-k3d.localhost:5005/busybox:latest
	EOF
	}

	rq() {
	local rc=""
	"$@" && return 0
	rc=$?
	echo "failed [$rc] $*" 1>&2
	return $rc
	}

	sbom_to_manifest() {
	local rc=1 tmpf=""
	tmpf=$(mktemp) \|\| return 1

	jq -r '
	.packages.[] \|
	select(.name \| startswith("sha256:") \| not) \|
	select(.SPDXID \| startswith("SPDXRef-Package")) \|
	.name + "\t" + .versionInfo' > "$tmpf" &&
	sort < "$tmpf" && rc=0
	rm -f "$tmpf"
	return $rc
	}

	get_sbom() {
	local url="$1" tmpd="" rc=99
	tmpd=$(mktemp -d) \|\| return 1
	rq \
	cosign download attestation \
	--platform=linux/amd64 \
	--predicate-type=https://spdx.dev/Document \
	"$url" > "$tmpd/raw" &&
	jq -r .payload < "$tmpd/raw" > "$tmpd/payload.b64" &&
	base64 -d <"$tmpd/payload.b64" > "$tmpd/payload" &&
	jq .predicate < "$tmpd/payload" &&
	rc=0
	rm -Rf "$tmpd"
	return $rc
	}

	[ $# -eq 0 ] && { Usage 1>&2; exit 1; }
	[ "$1" = "-h" -o "$1" = "--help" ] && { Usage ; exit 0; }

	mode=""
	case "$1" in
	get-sbom\|sbom-to-manifest\|get-manifest)
	mode="$1"
	shift;;
	esac

	if [ -z "$mode" ]; then
	case "${0##*/}" in
	get-sbom\|sbom-to-manifest\|get-manifest)
	mode="${0##*/}";;
	esac
	fi

	[ -n "$mode" ] \|\|
	{ Usage; echo "Could not find mode for $0/$1"; exit 1; } 1>&2

	case "$mode" in
	get-sbom) get_sbom "$@";;
	get-manifest) get_sbom "$@" \| sbom_to_manifest;;
	sbom_to_manifest) sbom_to_manifest;;
	*) echo "unknown mode '$mode'"; exit 1;;
	esac
	#!/bin/bash
	show_help() {
	echo ""
	echo "Usage: $0 image-stream-base-uri image-stream-version"
	echo " $0 cgr.dev/chainguard-private/python 3.9"
	echo ""
	echo "Options:"
	echo " --platform Specifies the platform in the form os/arch[/variant][:osversion] (default: linux/amd64)"
	echo " --image-ref-type tags \| digests (default: tags)"
	echo " -h, --help Display this help message and exit"
	echo ""
	}
	if [ $# -ne 2 ]; then
	show_help
	exit 1
	fi
	# Formatting variables
	normal="\e[0m" # Normal text
	#green="\e[32m" # Green
	#red="\e[31m" # Red
	#yellow="\e[33m" # Yellow
	#blue="\e[34m" # Blue
	purple="\e[35m" # Purple
	#cyan="\e[36m"
	#lightgrey="\e[37m"
	#
	repository="$1"
	version="$2"
	# Removing cgr.dev/
	repository=${1#cgr.dev/}
	# Fetch history using the provided parameters
	tok=$(crane auth token -H "cgr.dev/$repository")
	history=$(curl -s -H "$tok" "https://cgr.dev/v2/$repository/_chainguard/history/$version")
	IFS=$'\n' read -r -d '' -a historyapidigestarray <<< $(echo "$history" \| jq -r '.history[].digest')
	echo ""
	echo "History API digests found: ${#historyapidigestarray[@]}"
	echo "oldest:"
	echo -n " - timestamp: "
	echo "$history" \| jq -r '.history[0].updateTimestamp'
	echo "newest:"
	echo -n " - timestamp: "
	echo "$history" \| jq -r '.history[-1].updateTimestamp'
	for ((i=${#historyapidigestarray[@]}-1; i>=0; i--)); do
	mfdigest=${historyapidigestarray[$i]}
	timestamp=$(echo "$history" \| jq -r ".history[$i].updateTimestamp")
	frepo="cgr.dev/$repository"
	MULTIARCHIMAGE="$frepo@$mfdigest"
	mfblob=$(crane manifest "$MULTIARCHIMAGE")
	case "$mfblob" in
	\"manifests\":)
	archmfdigest=$(echo "$mfblob" \|
	jq -r '.manifests[] \| select (.platform.architecture=="amd64") \| .digest')
	archmfblob=$(crane manifest "$frepo@$archmfdigest")
	;;
	"") echo "error: $MULTIARCHIMAGE seems wrong";;
	*) archmfdigest="$mfdigest"
	archmfblob=$mfblob
	;;
	esac
	AMD64IMAGE="cgr.dev/$repository@$archmfdigest"
	echo -ne "[$i]: ${purple}$timestamp${normal}\n"
	if [ "$archmfdigest" != "$mfdigest" ]; then
	echo -ne "Multi-Arch Image: ${purple}$MULTIARCHIMAGE${normal}\n"
	else
	continue
	fi
	echo -ne "AMD64 Image: ${purple}$frepo@${archmfdigest}${normal}\n"
	#get-pkglist --single-arch "$frepo@${archmfdigest}"
	done