Hoppr Processing 101

Hoppr has a simple architecture. Prepare a few core input files for the Hippo, run hopctl, and receive outputs. Details below:

Hoppr Processing

• Core Plugins
• Ecosystem Plugins

note

See more architectural processing details on our execution sequence diagrams.

Four Input Files

1. CycloneDX SBOMs (JSON)
   • A list of software components (e.g. software packages, digital assets)
2. Manifest (YAML)
   • A composite of all CycloneDX SBOMs to be processed; may include other Manifests
   • Identifies repositories from which software components are to be retrieved
3. Transfer (YAML)
   • A list of stages for Hoppr to execute; each stage is a list of Hoppr processing plugins.
4. Credentials (YAML)
   • (Optional) - specifies authentication credentials for Hoppr network activity

Input File Schemas

• Manifest v1
• Transfers v1
• Credentials v1
• CycloneDX SBOMs

Schemas

All input file schemas are in JSON as YAML can be converted to JSON and validated against the schema. Example schema validation using yq and jsonschema.

$ cat airgapped.yml | yq eval -P -o json > airgap-manifest.json
$ curl "https://gitlab.com/api/v4/projects/34748703/packages/generic/schemas/v1/hoppr-manifest-schema-v1.json" \
  -o manifest-schema.json

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  100  3205  100  3205    0     0    436      0  0:00:07  0:00:07 --:--:--   740

$ jsonschema --instance airgap-manifest.json manifest-schema.json
$ echo $?
0

Outputs

• Bundles - TAR and Nexus
• Reports
• Anything you can build!

Example Hoppr Project

This is a simplified example to illustrate the input files and the relationship between them.

In this example, the root manifest references manifests for two other products.

Example SBOMs & Manifests

• Product A contains a CycloneDX SBOM on the "as-built" components that need to be transferred and their build dependencies.
• Product B contains two CycloneDX SBOMs for two different components that need to be transferred and their build dependencies.
• Both Products have Manifest files to specify what SBOMs are needed for the product to work. Each manifest also specifies a list of repositories to be searched for components specified in their SBOMs.
• Lastly, the third party has a Manifest that has either local or URL includes of Product A and Product B's Manifests, but does not include any SBOMs directly.

We recommend using a tool like renovate to keep your source projects up-to-date, and include the generation of Manifest and SBOM files in your continuous delivery pipeline(s). In this way, any transfers that are made with Hoppr can be kept current as well.

Example Transfer

For more information on configuration options see the transfer file documentation

Example Credentials

For more information on configuration options see the credentials file documentation