From 74bbca14357571d38e87edf99a14d73cd624926d Mon Sep 17 00:00:00 2001 From: Michael Baum Date: Tue, 16 Jun 2026 07:14:37 +0200 Subject: [PATCH 1/2] make sbom handling more robust. Strip subpath from registry path, don't crash if no sbom was found, don't crash if more then 1 sbm was found --- .../get-custom-scripts/GetSbomLicense.ps1 | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 b/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 index 8fd50a7..34fad76 100644 --- a/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 +++ b/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 @@ -25,9 +25,14 @@ if ([String]::IsNullOrWhitespace($oci_server)) return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json } } -$this.WriteLog("~~~ SBOM: Logging in to $($oci_server)") -oras login $oci_server --username $oci_username --password $oci_password -$this.WriteLog("~~~ SBOM: Logged in to $($oci_server)") +# `oras login` takes a bare registry HOST and rejects a reference that includes a repository path +# (e.g. an ECR endpoint with a version prefix like ".dkr.ecr..amazonaws.com/26.1" -> +# "invalid reference: invalid registry"). Log in to the host only; $oci_server (which may carry the +# path) is still used to build the artifact reference below, so `oras discover` targets the right repo. +$oci_login_host = $oci_server.Split("/")[0] +$this.WriteLog("~~~ SBOM: Logging in to $($oci_login_host)") +oras login $oci_login_host --username $oci_username --password $oci_password +$this.WriteLog("~~~ SBOM: Logged in to $($oci_login_host)") foreach($chartInfo in $entity._helm_charts_) { @@ -49,24 +54,26 @@ foreach($chartInfo in $entity._helm_charts_) if (-not [bool]$discoverJson.PSObject.Properties['referrers']) { - $errorMessage = "~~~ SBOM: Referrers field for $($rootArtifact) does not exist! Skipping license upload ..." - $this.WriteError($errorMessage) - return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json + # No mend/sbom referrer attached to this chart -> nothing to upload. Skip gracefully; a missing + # license artifact must not fail the install (returning 500 here aborts the whole release). + $infoMessage = "~~~ SBOM: Referrers field for $($rootArtifact) does not exist! Skipping license upload ..." + $this.WriteLog($infoMessage) + return @{ "statusCode" = 200; "errorMessage" = $infoMessage } | ConvertTo-Json } if (($discoverJson.referrers | Measure-Object).Count -eq 0) { - $errorMessage = "~~~ SBOM: Referrers field for $($rootArtifact) has zero elements! Skipping license upload ..." - $this.WriteError($errorMessage) - return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json + $infoMessage = "~~~ SBOM: Referrers field for $($rootArtifact) has zero elements! Skipping license upload ..." + $this.WriteLog($infoMessage) + return @{ "statusCode" = 200; "errorMessage" = $infoMessage } | ConvertTo-Json } else { if (($discoverJson.referrers | Measure-Object ).Count -gt 1) { - $errorMessage = "~~~ SBOM: Referrers field for $($rootArtifact) has more than one element! Only considering first element ..." - $this.WriteError($errorMessage) - return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json + # Multiple mend/sbom referrers -> warn and proceed with the first (the download below uses + # referrers[0]). This is informational, not a failure, so don't abort the install. + $this.WriteLog("~~~ SBOM: Referrers field for $($rootArtifact) has more than one element! Only considering first element ...") } # Download Artifacts From 208e38538975756eaa75acf79181904e078e668e Mon Sep 17 00:00:00 2001 From: Michael Baum Date: Tue, 16 Jun 2026 10:42:28 +0200 Subject: [PATCH 2/2] remove additional changes beside the server root login --- .../get-custom-scripts/GetSbomLicense.ps1 | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 b/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 index 34fad76..84ef750 100644 --- a/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 +++ b/images/hull-integration/get-custom-scripts/GetSbomLicense.ps1 @@ -54,26 +54,24 @@ foreach($chartInfo in $entity._helm_charts_) if (-not [bool]$discoverJson.PSObject.Properties['referrers']) { - # No mend/sbom referrer attached to this chart -> nothing to upload. Skip gracefully; a missing - # license artifact must not fail the install (returning 500 here aborts the whole release). - $infoMessage = "~~~ SBOM: Referrers field for $($rootArtifact) does not exist! Skipping license upload ..." - $this.WriteLog($infoMessage) - return @{ "statusCode" = 200; "errorMessage" = $infoMessage } | ConvertTo-Json + $errorMessage = "~~~ SBOM: Referrers field for $($rootArtifact) does not exist! Skipping license upload ..." + $this.WriteError($errorMessage) + return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json } if (($discoverJson.referrers | Measure-Object).Count -eq 0) { - $infoMessage = "~~~ SBOM: Referrers field for $($rootArtifact) has zero elements! Skipping license upload ..." - $this.WriteLog($infoMessage) - return @{ "statusCode" = 200; "errorMessage" = $infoMessage } | ConvertTo-Json + $errorMessage = "~~~ SBOM: Referrers field for $($rootArtifact) has zero elements! Skipping license upload ..." + $this.WriteError($errorMessage) + return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json } else { if (($discoverJson.referrers | Measure-Object ).Count -gt 1) { - # Multiple mend/sbom referrers -> warn and proceed with the first (the download below uses - # referrers[0]). This is informational, not a failure, so don't abort the install. - $this.WriteLog("~~~ SBOM: Referrers field for $($rootArtifact) has more than one element! Only considering first element ...") + $errorMessage = "~~~ SBOM: Referrers field for $($rootArtifact) has more than one element! Only considering first element ..." + $this.WriteError($errorMessage) + return @{ "statusCode" = 500; "errorMessage" = $errorMessage } | ConvertTo-Json } # Download Artifacts