From b8c9f2b3d7f17f134a60fd729d50959c30d7d1f7 Mon Sep 17 00:00:00 2001
From: Hongwei Liu <hongliu@redhat.com>
Date: Wed, 25 Sep 2024 21:27:53 +0800
Subject: [PATCH 1/2] fix(KFLUXBUGS-1601): use base image annotation to get its
 tag

* Label org.opencontainers.image.base.name doesn't exist
* Use annotation org.opencontainers.image.base.name to derive base image

Signed-off-by: Hongwei Liu <hongliu@redhat.com>
---
 task/fbc-validation/0.1/fbc-validation.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/task/fbc-validation/0.1/fbc-validation.yaml b/task/fbc-validation/0.1/fbc-validation.yaml
index 9782d7b37..fed06194f 100644
--- a/task/fbc-validation/0.1/fbc-validation.yaml
+++ b/task/fbc-validation/0.1/fbc-validation.yaml
@@ -95,10 +95,18 @@ spec:
           exit 0
         fi
 
+        if [ ! -s ../inspect-image/raw_image_inspect.json ]; then
+          echo "File $(workspaces.workspace.path)/hacbs/inspect-image/raw_image_inspect.json did not generate correctly. Check inspect-image task log."
+          note="Task $(context.task.name) failed: $(workspaces.workspace.path)/hacbs/inspect-image/raw_image_inspect.json did not generate correctly. For details, check Tekton task result TEST_OUTPUT in task inspect-image."
+          TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
+          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          exit 0
+        fi
+
         status=0
-        base_image_name=$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" ../inspect-image/image_inspect.json) || status=$?
+        base_image_name=$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" ../inspect-image/raw_image_inspect.json) || status=$?
         if [ $status -ne 0 ]; then
-          echo "Could not get labels from inspect-image/image_inspect.json. Make sure file exists and it contains this label: org.opencontainers.image.base.name"
+          echo "Could not get annotations from inspect-image/raw_image_inspect.json. Make sure file exists and it contains this annotation: org.opencontainers.image.base.name"
           TEST_OUTPUT="$(make_result_json -r ERROR)"
           echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           exit 0

From 0da6620373ea168059f9378404802ebb85d1ce7a Mon Sep 17 00:00:00 2001
From: Hongwei Liu <hongliu@redhat.com>
Date: Wed, 25 Sep 2024 21:45:45 +0800
Subject: [PATCH 2/2] fix: quote string var to prevent word splitting

* quote string var to prevent word splitting SC2046
  refer to https://github.com/konflux-ci/build-definitions/
  actions/runs/11034165969/job/30647384452?pr=1468

Signed-off-by: Hongwei Liu <hongliu@redhat.com>
---
 task/fbc-validation/0.1/fbc-validation.yaml | 31 ++++++++++++++-------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/task/fbc-validation/0.1/fbc-validation.yaml b/task/fbc-validation/0.1/fbc-validation.yaml
index fed06194f..82201c985 100644
--- a/task/fbc-validation/0.1/fbc-validation.yaml
+++ b/task/fbc-validation/0.1/fbc-validation.yaml
@@ -63,7 +63,7 @@ spec:
           echo "Base image is unknown. The file-based catalog must have base image defined. Check inspect-image task log."
           note="Task $(context.task.name) failed: The file-based catalog must have base image defined. For details, check Tekton task result TEST_OUTPUT in task inspect-image."
           TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
-          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           exit 0
         fi
 
@@ -82,7 +82,7 @@ spec:
           echo "Base image ${BASE_IMAGE} is not allowed for the file based catalog image. Allowed images: ${ALLOWED_BASE_IMAGES}"
           note="Task $(context.task.name) failed: Base image ${BASE_IMAGE} is not allowed for the file based catalog image. For details, check Tekton task logs"
           TEST_OUTPUT=$(make_result_json -r FAILURE -f 1 -t "$note")
-          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           exit 0
         fi
 
@@ -91,7 +91,7 @@ spec:
           echo "File $(workspaces.workspace.path)/hacbs/inspect-image/image_inspect.json did not generate correctly. Check inspect-image task log."
           note="Task $(context.task.name) failed: $(workspaces.workspace.path)/hacbs/inspect-image/image_inspect.json did not generate correctly. For details, check Tekton task result TEST_OUTPUT in task inspect-image."
           TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
-          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           exit 0
         fi
 
@@ -99,14 +99,25 @@ spec:
           echo "File $(workspaces.workspace.path)/hacbs/inspect-image/raw_image_inspect.json did not generate correctly. Check inspect-image task log."
           note="Task $(context.task.name) failed: $(workspaces.workspace.path)/hacbs/inspect-image/raw_image_inspect.json did not generate correctly. For details, check Tekton task result TEST_OUTPUT in task inspect-image."
           TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
-          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           exit 0
         fi
 
-        status=0
-        base_image_name=$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" ../inspect-image/raw_image_inspect.json) || status=$?
-        if [ $status -ne 0 ]; then
+        echo "Getting base image for source image ${IMAGE_URL}."
+        base_image_name="$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" ../inspect-image/raw_image_inspect.json)" || status=$?
+        if [ "$base_image_name" == 'null' ]; then
           echo "Could not get annotations from inspect-image/raw_image_inspect.json. Make sure file exists and it contains this annotation: org.opencontainers.image.base.name"
+          echo "Try to get base image from label..."
+          base_image_name="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" ../inspect-image/image_inspect.json)" || status=$?
+          if [ "$base_image_name" == 'null' ]; then
+            echo "Cannot get base image info from Labels. For details, check source image ../inspect-image/image_inspect.json."
+            TEST_OUTPUT="$(make_result_json -r ERROR)"
+            echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
+            exit 0
+          fi
+        fi
+        if [ -z "$base_image_name" ]; then
+          echo "Source image ${IMAGE_URL} is built from scratch, so there is no base image."
           TEST_OUTPUT="$(make_result_json -r ERROR)"
           echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           exit 0
@@ -128,7 +139,7 @@ spec:
           echo "Unable to extract or validate extracted binaries."
           note="Task $(context.task.name) failed: Failed to extract image with oc extract command, so it cannot validate extracted binaries. For details, check Tekton task log."
           ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note")
-          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
           popd
           exit 0
         fi
@@ -260,9 +271,9 @@ spec:
         note="Task $(context.task.name) completed: Check result for task result."
         if [ $TESTPASSED == false ]; then
           ERROR_OUTPUT=$(make_result_json -r FAILURE -f $failure_num -s $((check_num - failure_num)) -t "$note")
-          echo "${ERROR_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
         else
           TEST_OUTPUT=$(make_result_json -r SUCCESS -s $check_num -t "$note")
-          echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+          echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
         fi
         popd