Update hcp-sbom provisioner docs

command/build.go

@@ -315,6 +315,15 @@ Check that you are using an HCP Ready integration before trying again:
 					artifacts.Unlock()
 				}
 			}
+
+			// If the build succeeded but uploading to HCP failed,
+			// Packer should exit non-zero, so we re-assign the
+			// error to account for this case.
+			if hcperr != nil && err == nil {
+				errs.Lock()
+				errs.m[name] = hcperr
+				errs.Unlock()
+			}
 		}()
 
 		if cla.Debug {

command/execute.go

@@ -28,6 +28,7 @@ import (
 	shelllocalpostprocessor "github.com/hashicorp/packer/post-processor/shell-local"
 	breakpointprovisioner "github.com/hashicorp/packer/provisioner/breakpoint"
 	fileprovisioner "github.com/hashicorp/packer/provisioner/file"
+	hcpsbomprovisioner "github.com/hashicorp/packer/provisioner/hcp-sbom"
 	powershellprovisioner "github.com/hashicorp/packer/provisioner/powershell"
 	shellprovisioner "github.com/hashicorp/packer/provisioner/shell"
 	shelllocalprovisioner "github.com/hashicorp/packer/provisioner/shell-local"
@@ -48,6 +49,7 @@ var Builders = map[string]packersdk.Builder{
 var Provisioners = map[string]packersdk.Provisioner{
 	"breakpoint":      new(breakpointprovisioner.Provisioner),
 	"file":            new(fileprovisioner.Provisioner),
+	"hcp-sbom":        new(hcpsbomprovisioner.Provisioner),
 	"powershell":      new(powershellprovisioner.Provisioner),
 	"shell":           new(shellprovisioner.Provisioner),
 	"shell-local":     new(shelllocalprovisioner.Provisioner),

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/hashicorp/hcp-sdk-go v0.131.0
 	github.com/hashicorp/packer-plugin-sdk v0.6.0
 	github.com/jehiah/go-strftime v0.0.0-20171201141054-1d33003b3869
-	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/klauspost/compress v1.13.6
 	github.com/klauspost/pgzip v1.2.5
 	github.com/masterzen/winrm v0.0.0-20210623064412-3b76017826b0
 	github.com/mattn/go-runewidth v0.0.13 // indirect
@@ -57,10 +57,12 @@ require (
 )
 
 require (
+	github.com/CycloneDX/cyclonedx-go v0.9.1
 	github.com/go-openapi/strfmt v0.21.10
 	github.com/oklog/ulid v1.3.1
 	github.com/pierrec/lz4/v4 v4.1.18
 	github.com/shirou/gopsutil/v3 v3.23.4
+	github.com/spdx/tools-golang v0.5.5
 )
 
 require (
@@ -77,6 +79,7 @@ require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v1.1.3 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/apparentlymart/go-cidr v1.0.1 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect

go.sum

@@ -20,6 +20,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4=
 github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6 h1:w0E0fgc1YafGEh5cROhlROMWXiNoZqApk2PDN0M1+Ns=
 github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4=
+github.com/CycloneDX/cyclonedx-go v0.9.1 h1:yffaWOZsv77oTJa/SdVZYdgAgFioCeycBUKkqS2qzQM=
+github.com/CycloneDX/cyclonedx-go v0.9.1/go.mod h1:NE/EWvzELOFlG6+ljX/QeMlVt9VKcTwu8u0ccsACEsw=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
@@ -38,6 +40,8 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
+github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antchfx/xmlquery v1.3.5 h1:I7TuBRqsnfFuL11ruavGm911Awx9IqSdiU6W/ztSmVw=
@@ -78,6 +82,8 @@ github.com/biogo/hts v1.4.3 h1:vir2yUTiRkPvtp6ZTpzh9lWTKQJZXJKZ563rpAQAsRM=
 github.com/biogo/hts v1.4.3/go.mod h1:eW40HJ1l2ExK9C+yvvoRSftInqWsf3ue+zAEjzCGWjA=
 github.com/bmatcuk/doublestar v1.1.5 h1:2bNwBOmhyFEFcoB3tGvTD5xanq+4kyOZlB8wFYbMjkk=
 github.com/bmatcuk/doublestar v1.1.5/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -490,6 +496,9 @@ github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0
 github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
+github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
+github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XOmk=
+github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE=
 github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -509,8 +518,12 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
+github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
 github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
 github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
 github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
@@ -533,6 +546,10 @@ github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3k
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
@@ -739,3 +756,4 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

hcl2template/types.packer_config.go

@@ -573,6 +573,12 @@ func (cfg *PackerConfig) getCoreBuildProvisioner(source SourceUseBlock, pb *Prov
 		}
 	}
 
+	if pb.PType == "hcp-sbom" {
+		provisioner = &packer.SBOMInternalProvisioner{
+			Provisioner: provisioner,
+		}
+	}
+
 	return packer.CoreBuildProvisioner{
 		PType:       pb.PType,
 		PName:       pb.PName,

internal/hcp/registry/types.bucket.go

@@ -12,7 +12,10 @@ import (
 	"sync"
 	"time"
 
+	"github.com/hashicorp/packer/packer"
+
 	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/client/packer_service"
 	hcpPackerModels "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/models"
 	packerSDK "github.com/hashicorp/packer-plugin-sdk/packer"
 	packerSDKRegistry "github.com/hashicorp/packer-plugin-sdk/packer/registry/image"
@@ -222,6 +225,35 @@ func (bucket *Bucket) UpdateBuildStatus(
 	return nil
 }
 
+func (bucket *Bucket) uploadSbom(ctx context.Context, buildName string, sbom packer.SBOM) error {
+	buildToUpdate, err := bucket.Version.Build(buildName)
+	if err != nil {
+		return err
+	}
+
+	log.Println(
+		"[TRACE] jennajenna uploadsbom called", buildToUpdate.ID,
+	)
+	if buildToUpdate.ID == "" {
+		return fmt.Errorf("the build for the component %q does not have a valid id", buildName)
+	}
+	_, err = bucket.client.Packer.PackerServiceUploadSbom(
+		&packer_service.PackerServiceUploadSbomParams{
+			Context:     ctx,
+			BucketName:  bucket.Name,
+			Fingerprint: bucket.Version.Fingerprint,
+			BuildID:     buildToUpdate.ID,
+			Body: &hcpPackerModels.HashicorpCloudPacker20230101UploadSbomBody{
+				CompressedSbom: sbom.CompressedData,
+				Name:           sbom.Name,
+				Format:         &sbom.Format,
+			},
+		},
+		nil,
+	)
+	return err
+}
+
 // markBuildComplete should be called to set a build on the HCP Packer registry to DONE.
 // Upon a successful call markBuildComplete will publish all artifacts created by the named build,
 // and set the build to done. A build with no artifacts can not be set to DONE.
@@ -610,7 +642,6 @@ func (bucket *Bucket) completeBuild(
 	doneCh, ok := bucket.RunningBuilds[buildName]
 	if !ok {
 		log.Print("[ERROR] done build does not have an entry in the heartbeat table, state will be inconsistent.")
-
 	} else {
 		log.Printf("[TRACE] signal stopping heartbeats")
 		// Stop heartbeating
@@ -630,6 +661,23 @@ func (bucket *Bucket) completeBuild(
 		return packerSDKArtifacts, fmt.Errorf("build failed, not uploading artifacts")
 	}
 
+	artifacts, err := bucket.doCompleteBuild(ctx, buildName, packerSDKArtifacts, buildErr)
+	if err != nil {
+		err := bucket.UpdateBuildStatus(ctx, buildName, hcpPackerModels.HashicorpCloudPacker20230101BuildStatusBUILDFAILED)
+		if err != nil {
+			log.Printf("[ERROR] failed to update build %q status to FAILED: %s", buildName, err)
+		}
+	}
+
+	return artifacts, err
+}
+
+func (bucket *Bucket) doCompleteBuild(
+	ctx context.Context,
+	buildName string,
+	packerSDKArtifacts []packerSDK.Artifact,
+	buildErr error,
+) ([]packerSDK.Artifact, error) {
 	for _, art := range packerSDKArtifacts {
 		var sdkImages []packerSDKRegistry.Image
 		decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
@@ -673,6 +721,13 @@ func (bucket *Bucket) completeBuild(
 		}
 	}
 
+	for _, sbom := range build.CompressedSboms {
+		err = bucket.uploadSbom(ctx, buildName, sbom)
+		if err != nil {
+			return packerSDKArtifacts, fmt.Errorf("Failed to upload sboms %s", err)
+		}
+	}
+
 	parErr := bucket.markBuildComplete(ctx, buildName)
 	if parErr != nil {
 		return packerSDKArtifacts, fmt.Errorf(

internal/hcp/registry/types.builds.go

@@ -6,6 +6,8 @@ package registry
 import (
 	"fmt"
 
+	"github.com/hashicorp/packer/packer"
+
 	hcpPackerModels "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/models"
 	packerSDKRegistry "github.com/hashicorp/packer-plugin-sdk/packer/registry/image"
 )
@@ -20,6 +22,8 @@ type Build struct {
 	Artifacts     map[string]packerSDKRegistry.Image
 	Status        hcpPackerModels.HashicorpCloudPacker20230101BuildStatus
 	Metadata      hcpPackerModels.HashicorpCloudPacker20230101BuildMetadata
+
+	CompressedSboms []packer.SBOM
 }
 
 // NewBuildFromCloudPackerBuild converts a HashicorpCloudPackerBuild to a local build that can be tracked and

internal/hcp/registry/types.version.go

@@ -205,5 +205,8 @@ func (version *Version) AddMetadataToBuild(
 	buildToUpdate.Metadata.Vcs = globalMetadata.Vcs
 	buildToUpdate.Metadata.Cicd = globalMetadata.Cicd
 
+	// TODO IMO this shouldn't be metadata
+	buildToUpdate.CompressedSboms = buildMetadata.SBOMs
+
 	return nil
 }

packer/build.go

@@ -9,6 +9,7 @@ import (
 	"log"
 	"sync"
 
+	hcpPackerModels "github.com/hashicorp/hcp-sdk-go/clients/cloud-packer-service/stable/2023-01-01/models"
 	"github.com/hashicorp/packer-plugin-sdk/common"
 	packersdk "github.com/hashicorp/packer-plugin-sdk/packer"
 	"github.com/hashicorp/packer-plugin-sdk/packerbuilderdata"
@@ -50,11 +51,20 @@ type CoreBuild struct {
 	onError       string
 	l             sync.Mutex
 	prepareCalled bool
+
+	SBOMs []SBOM
+}
+
+type SBOM struct {
+	Name           string
+	Format         hcpPackerModels.HashicorpCloudPacker20230101SbomFormat
+	CompressedData []byte
 }
 
 type BuildMetadata struct {
 	PackerVersion string
 	Plugins       map[string]PluginDetails
+	SBOMs         []SBOM
 }
 
 func (b *CoreBuild) getPluginsMetadata() map[string]PluginDetails {
@@ -88,6 +98,7 @@ func (b *CoreBuild) GetMetadata() BuildMetadata {
 	metadata := BuildMetadata{
 		PackerVersion: version.FormattedVersion(),
 		Plugins:       b.getPluginsMetadata(),
+		SBOMs:         b.SBOMs,
 	}
 	return metadata
 }
@@ -300,6 +311,18 @@ func (b *CoreBuild) Run(ctx context.Context, originalUi packersdk.Ui) ([]packers
 		return nil, err
 	}
 
+	for _, p := range b.Provisioners {
+		sbomInternalProvisioner, ok := p.Provisioner.(*SBOMInternalProvisioner)
+		if ok {
+			sbom := SBOM{
+				Name:           sbomInternalProvisioner.SBOMName,
+				Format:         sbomInternalProvisioner.SBOMFormat,
+				CompressedData: sbomInternalProvisioner.CompressedData,
+			}
+			b.SBOMs = append(b.SBOMs, sbom)
+		}
+	}
+
 	// If there was no result, don't worry about running post-processors
 	// because there is nothing they can do, just return.
 	if builderArtifact == nil {

packer/core.go

@@ -296,6 +296,13 @@ func (c *Core) generateCoreBuildProvisioner(rawP *template.Provisioner, rawName
 			Provisioner: provisioner,
 		}
 	}
+
+	if rawP.Type == "hcp-sbom" {
+		provisioner = &SBOMInternalProvisioner{
+			Provisioner: provisioner,
+		}
+	}
+
 	cbp = CoreBuildProvisioner{
 		PType:       rawP.Type,
 		Provisioner: provisioner,