Skip to main content
Version: Next

Hoppr Processing 101

Hoppr has a simple architecture. Prepare a few core input files for the Hippo, run hopctl, and receive outputs. Details below:

Hoppr Processing

note

See more architectural processing details on our execution sequence diagrams.

Four Input Files

  1. CycloneDX SBOMs (JSON)
  2. Manifest (YAML)
    • A composite of all CycloneDX SBOMs to be processed; may include other Manifests
    • Identifies repositories from which software components are to be retrieved
  3. Transfer (YAML)
    • A list of stages for Hoppr to execute; each stage is a list of Hoppr processing plugins.
  4. Credentials (YAML)
    • (Optional) - specifies authentication credentials for Hoppr network activity

Input File Schemas

Schemas

All input file schemas are in JSON as YAML can be converted to JSON and validated against the schema. Example schema validation using yq and jsonschema.

$ cat airgapped.yml | yq eval -P -o json > airgap-manifest.json
$ curl "https://gitlab.com/api/v4/projects/34748703/packages/generic/schemas/v1/hoppr-manifest-schema-v1.json" \
-o manifest-schema.json

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3205 100 3205 0 0 436 0 0:00:07 0:00:07 --:--:-- 740

$ jsonschema --instance airgap-manifest.json manifest-schema.json
$ echo $?
0

Outputs

Example Hoppr Project

This is a simplified example to illustrate the input files and the relationship between them.

ExampleGraph

In this example, the root manifest references manifests for two other products.

Example SBOMs & Manifests

  • Product A contains a CycloneDX SBOM on the "as-built" components that need to be transferred and their build dependencies.
  • Product B contains two CycloneDX SBOMs for two different components that need to be transferred and their build dependencies.
  • Both Products have Manifest files to specify what SBOMs are needed for the product to work. Each manifest also specifies a list of repositories to be searched for components specified in their SBOMs.
  • Lastly, the third party has a Manifest that has either local or URL includes of Product A and Product B's Manifests, but does not include any SBOMs directly.

We recommend using a tool like renovate to keep your source projects up-to-date, and include the generation of Manifest and SBOM files in your continuous delivery pipeline(s). In this way, any transfers that are made with Hoppr can be kept current as well.

Example Transfer

For more information on configuration options see the transfer file documentation

Example Credentials

For more information on configuration options see the credentials file documentation