From 34ecceee5475161b39950514dd1e29917bc8c416 Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Sat, 31 Aug 2024 11:44:39 +0200 Subject: [PATCH] feat(docker): Replace Syft for Docker own Scout SBOM generator Docker now provides the way to generate embedded SBOM file through Docker Scout, and the engine underlying the process is same Syft previously used. Signed-off-by: Helio Chissini de Castro --- .github/workflows/docker-build.yml | 3 +++ Dockerfile | 30 ------------------------- NOTICE | 1 + scripts/docker_snippets/android.snippet | 1 - scripts/docker_snippets/dart.snippet | 1 - scripts/docker_snippets/dotnet.snippet | 1 - scripts/docker_snippets/haskell.snippet | 2 -- scripts/docker_snippets/php.snippet | 2 -- scripts/docker_snippets/sbt.snippet | 1 - scripts/docker_snippets/swift.snippet | 1 - 10 files changed, 4 insertions(+), 39 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 16ea5a034f398..e0bc2c683f4a3 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -63,6 +63,7 @@ jobs: cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache,mode=max build-args: ORT_VERSION=${{ env.ORT_VERSION }} + sbom: true - name: Build 'ort' Docker Image if: ${{ github.event_name == 'pull_request' }} uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6 @@ -72,6 +73,7 @@ jobs: labels: ${{ steps.meta-ort.outputs.labels }} cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache build-args: ORT_VERSION=${{ env.ORT_VERSION }} + sbom: true - name: Extract Metadata for 'ort-minimal' Docker Image id: meta-ort-minimal uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 @@ -96,5 +98,6 @@ jobs: target: minimal cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache build-args: ORT_VERSION=${{ env.ORT_VERSION }} + sbom: true - name: Print Disk Space run: df -h diff --git a/Dockerfile b/Dockerfile index 78896dddf1b48..d56d9155fdc0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -107,12 +107,6 @@ COPY "$CRT_FILES" /tmp/certificates/ RUN /etc/scripts/export_proxy_certificates.sh /tmp/certificates/ \ && /etc/scripts/import_certificates.sh /tmp/certificates/ -# Add Syft to use as primary SPDX Docker scanner -# Create docs dir to store future SPDX files -RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin \ - && mkdir -p /usr/share/doc/ort \ - && chown $USER:$USER /usr/share/doc/ort - USER $USER WORKDIR $HOME @@ -468,20 +462,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ subversion \ && sudo rm -rf /var/lib/apt/lists/* -RUN syft / --exclude '*/usr/share/doc' --exclude '*/etc' -o spdx-json --output json=/usr/share/doc/ort/ort-base.spdx.json - # Python ENV PYENV_ROOT=/opt/python ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin COPY --from=python --chown=$USER:$USER $PYENV_ROOT $PYENV_ROOT -RUN syft $PYENV_ROOT -o spdx-json --output json=/usr/share/doc/ort/ort-python.spdx.json # NodeJS ARG NODEJS_VERSION ENV NVM_DIR=/opt/nvm ENV PATH=$PATH:$NVM_DIR/versions/node/v$NODEJS_VERSION/bin COPY --from=nodejs --chown=$USER:$USER $NVM_DIR $NVM_DIR -RUN syft $NVM_DIR -o spdx-json --output json=/usr/share/doc/ort/ort-nodejs.spdx.json # Rust ENV RUST_HOME=/opt/rust @@ -490,19 +480,16 @@ ENV RUSTUP_HOME=$RUST_HOME/rustup ENV PATH=$PATH:$CARGO_HOME/bin:$RUSTUP_HOME/bin COPY --from=rust --chown=$USER:$USER $RUST_HOME $RUST_HOME RUN chmod o+rwx $CARGO_HOME -RUN syft $RUST_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-rust.spdx.json # Golang ENV PATH=$PATH:/opt/go/bin COPY --from=golang --chown=$USER:$USER /opt/go /opt/go -RUN syft /opt/go -o spdx-json --output json=/usr/share/doc/ort/ort-golang.spdx.json # Ruby ENV RBENV_ROOT=/opt/rbenv/ ENV GEM_HOME=/var/tmp/gem ENV PATH=$PATH:$RBENV_ROOT/bin:$RBENV_ROOT/shims:$RBENV_ROOT/plugins/ruby-install/bin COPY --from=ruby --chown=$USER:$USER $RBENV_ROOT $RBENV_ROOT -RUN syft $RBENV_ROOT -o spdx-json --output json=/usr/share/doc/ort/ort-ruby.spdx.json #------------------------------------------------------------------------ # Container with all supported package managers. @@ -516,30 +503,21 @@ ENV PATH=$PATH:$ANDROID_HOME/platform-tools COPY --from=android --chown=$USER:$USER $ANDROID_HOME $ANDROID_HOME RUN sudo chmod -R o+rw $ANDROID_HOME -RUN syft $ANDROID_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-android.spdx.json - # Swift ENV SWIFT_HOME=/opt/swift ENV PATH=$PATH:$SWIFT_HOME/bin COPY --from=swift --chown=$USER:$USER $SWIFT_HOME $SWIFT_HOME -RUN syft $SWIFT_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-swift.spdx.json - - # Scala ENV SBT_HOME=/opt/sbt ENV PATH=$PATH:$SBT_HOME/bin COPY --from=scala --chown=$USER:$USER $SBT_HOME $SBT_HOME -RUN syft $SBT_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-sbt.spdx.json - # Dart ENV DART_SDK=/opt/dart-sdk ENV PATH=$PATH:$DART_SDK/bin COPY --from=dart --chown=$USER:$USER $DART_SDK $DART_SDK -RUN syft $DART_SDK -o spdx-json --output json=/usr/share/doc/ort/ort-golang.dart.json - # Dotnet ENV DOTNET_HOME=/opt/dotnet ENV NUGET_INSPECTOR_HOME=$DOTNET_HOME @@ -547,8 +525,6 @@ ENV PATH=$PATH:$DOTNET_HOME:$DOTNET_HOME/tools:$DOTNET_HOME/bin COPY --from=dotnet --chown=$USER:$USER $DOTNET_HOME $DOTNET_HOME -RUN syft $DOTNET_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-dotnet.spdx.json - # PHP ARG PHP_VERSION ARG COMPOSER_VERSION @@ -567,16 +543,12 @@ RUN mkdir -p /opt/php/bin \ ENV PATH=$PATH:/opt/php/bin -RUN syft /opt/php -o spdx-json --output json=/usr/share/doc/ort/ort-php.spdx.json - # Haskell ENV HASKELL_HOME=/opt/haskell ENV PATH=$PATH:$HASKELL_HOME/bin COPY --from=haskell /opt/haskell /opt/haskell -RUN syft /opt/haskell -o spdx-json --output json=/usr/share/doc/ort/ort-haskell.spdx.json - # Bazel ENV BAZEL_HOME=/opt/bazel ENV PATH=$PATH:$BAZEL_HOME/bin @@ -584,8 +556,6 @@ ENV PATH=$PATH:$BAZEL_HOME/bin COPY --from=bazel $BAZEL_HOME $BAZEL_HOME COPY --from=bazel --chown=$USER:$USER /opt/go/bin/buildozer /opt/go/bin/buildozer -RUN syft $BAZEL_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-bazel.spdx.json - #------------------------------------------------------------------------ # Runtime container with minimal selection of supported package managers pre-installed. FROM minimal-tools as minimal diff --git a/NOTICE b/NOTICE index 49cf104af1aad..f8f5351234fa9 100644 --- a/NOTICE +++ b/NOTICE @@ -16,3 +16,4 @@ Copyright (C) 2022 Google, LLC Copyright (C) 2022-2024 EPAM Systems, Inc. Copyright (C) 2023-2024 Double Open Oy Copyright (C) 2024 Robert Bosch GmbH +Copyright (C) 2024 Cariad SE diff --git a/scripts/docker_snippets/android.snippet b/scripts/docker_snippets/android.snippet index bbf9908b0fe8f..050222a73c634 100644 --- a/scripts/docker_snippets/android.snippet +++ b/scripts/docker_snippets/android.snippet @@ -23,4 +23,3 @@ ENV PATH=$PATH:$ANDROID_HOME/platform-tools COPY --from=ghcr.io/oss-review-toolkit/android --chown=$USER:$USER $ANDROID_HOME $ANDROID_HOME RUN sudo chmod -R o+rw $ANDROID_HOME -RUN syft $ANDROID_HOME -o spdx-json --file /usr/share/doc/ort/ort-android.spdx.json diff --git a/scripts/docker_snippets/dart.snippet b/scripts/docker_snippets/dart.snippet index cb6869c6cef38..5bd7ea5722580 100644 --- a/scripts/docker_snippets/dart.snippet +++ b/scripts/docker_snippets/dart.snippet @@ -19,4 +19,3 @@ ENV DART_SDK=/opt/dart-sdk ENV PATH=$PATH:$DART_SDK/bin COPY --from=ghcr.io/oss-review-toolkit/dart --chown=$USER:$USER $DART_SDK $DART_SDK -RUN syft $DART_SDK -o spdx-json --file /usr/share/doc/ort/ort-golang.dart.json diff --git a/scripts/docker_snippets/dotnet.snippet b/scripts/docker_snippets/dotnet.snippet index a5285e9fa6234..16c5b0e3305cf 100644 --- a/scripts/docker_snippets/dotnet.snippet +++ b/scripts/docker_snippets/dotnet.snippet @@ -21,4 +21,3 @@ ENV PATH=$PATH:$DOTNET_HOME:$DOTNET_HOME/tools:$DOTNET_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/dotnet --chown=$USER:$USER $DOTNET_HOME $DOTNET_HOME -RUN syft $DOTNET_HOME -o spdx-json --file /usr/share/doc/ort/ort-dotnet.spdx.json diff --git a/scripts/docker_snippets/haskell.snippet b/scripts/docker_snippets/haskell.snippet index 4594de4e4e1de..be403139b4eb0 100644 --- a/scripts/docker_snippets/haskell.snippet +++ b/scripts/docker_snippets/haskell.snippet @@ -20,5 +20,3 @@ ENV HASKELL_HOME=/opt/haskell ENV PATH=$PATH:$HASKELL_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/haskell /opt/haskell /opt/haskell - -RUN syft /opt/haskell -o spdx-json --file /usr/share/doc/ort/ort-haskell.spdx.json \ No newline at end of file diff --git a/scripts/docker_snippets/php.snippet b/scripts/docker_snippets/php.snippet index cba7338b7ea9a..1cf6bcbae5179 100644 --- a/scripts/docker_snippets/php.snippet +++ b/scripts/docker_snippets/php.snippet @@ -30,5 +30,3 @@ RUN mkdir -p /opt/php/bin \ && curl -ksS https://getcomposer.org/installer | php -- --install-dir=/opt/php/bin --filename=composer --$COMPOSER_VERSION ENV PATH=$PATH:/opt/php/bin - -RUN syft /opt/php -o spdx-json --file /usr/share/doc/ort/ort-php.spdx.json \ No newline at end of file diff --git a/scripts/docker_snippets/sbt.snippet b/scripts/docker_snippets/sbt.snippet index d73e03296cdde..4d307d303c2ae 100644 --- a/scripts/docker_snippets/sbt.snippet +++ b/scripts/docker_snippets/sbt.snippet @@ -19,4 +19,3 @@ ENV SBT_HOME=/opt/sbt ENV PATH=$PATH:$SBT_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/sbt --chown=$USER:$USER $SBT_HOME $SBT_HOME -RUN syft $SBT_HOME -o spdx-json --file /usr/share/doc/ort/ort-sbt.spdx.json diff --git a/scripts/docker_snippets/swift.snippet b/scripts/docker_snippets/swift.snippet index e4956513c53d2..a42f82267cd5a 100644 --- a/scripts/docker_snippets/swift.snippet +++ b/scripts/docker_snippets/swift.snippet @@ -19,4 +19,3 @@ ENV SWIFT_HOME=/opt/swift ENV PATH=$PATH:$SWIFT_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/swift --chown=$USER:$USER $SWIFT_HOME $SWIFT_HOME -RUN syft $SWIFT_HOME -o spdx-json --file /usr/share/doc/ort/ort-swift.spdx.json