Hoppr Processing 101
Hoppr has a simple architecture. Prepare a few core input files for the Hippo, run
hopctl, and receive outputs. Details below:
See more architectural processing details on our execution sequence diagrams.
Four Input Files
- CycloneDX SBOMs (JSON)
- A list of software components (e.g. software packages, digital assets)
- Manifest (YAML)
- A composite of all CycloneDX SBOMs to be processed; may include other Manifests
- Identifies repositories from which software components are to be retrieved
- Transfer (YAML)
- A list of stages for Hoppr to execute; each stage is a list of Hoppr processing plugins.
- Credentials (YAML)
- (Optional) - specifies authentication credentials for Hoppr network activity
Input File Schemas
$ cat airgapped.yml | yq eval -P -o json > airgap-manifest.json
$ curl "https://gitlab.com/api/v4/projects/34748703/packages/generic/schemas/v1/hoppr-manifest-schema-v1.json" \
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3205 100 3205 0 0 436 0 0:00:07 0:00:07 --:--:-- 740
$ jsonschema --instance airgap-manifest.json manifest-schema.json
$ echo $?
Example Hoppr Project
This is a simplified example to illustrate the input files and the relationship between them.
In this example, the root
manifest references manifests for two other products.
Example SBOMs & Manifests
- Product A contains a CycloneDX
SBOMon the "as-built" components that need to be transferred and their build dependencies.
- Product B contains two CycloneDX
SBOMsfor two different components that need to be transferred and their build dependencies.
- Both Products have
Manifestfiles to specify what
SBOMsare needed for the product to work. Each manifest also specifies a list of repositories to be searched for components specified in their
- Lastly, the third party has a
Manifestthat has either local or URL includes of Product A and Product B's Manifests, but does not include any
We recommend using a tool like renovate to keep your source projects up-to-date, and include the generation of
SBOM files in your continuous delivery pipeline(s). In this way, any transfers that are made with Hoppr can be kept current as well.
For more information on configuration options see the transfer file documentation
For more information on configuration options see the credentials file documentation