Skip to content

Commit

Permalink
fix(KFLUXBUGS-1666): Only analyze build context for dependencies
Browse files Browse the repository at this point in the history
When generating the SBOM, we do not constrain the source analysis to the
build context. This can result in many additional dependencies being
included than should be.

Signed-off-by: arewm <[email protected]>
  • Loading branch information
arewm committed Sep 26, 2024
1 parent 109199e commit d9d264b
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 8 deletions.
5 changes: 3 additions & 2 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,8 @@ spec:
value: $(params.IMAGE_EXPIRES_AFTER)
- name: SKIP_UNUSED_STAGES
value: $(params.SKIP_UNUSED_STAGES)
- name: SOURCE_CODE_DIR
value: source
- name: SQUASH
value: $(params.SQUASH)
- name: STORAGE_DRIVER
Expand Down Expand Up @@ -251,7 +253,6 @@ spec:
update-ca-trust
fi
SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
Expand Down Expand Up @@ -459,7 +460,7 @@ spec:
name: shared
script: |
echo "Running syft on the source directory"
syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
syft dir:/var/workdir/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=/var/workdir/sbom-source.json
echo "Running syft on the image filesystem"
syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
computeResources:
Expand Down
6 changes: 4 additions & 2 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,8 @@ spec:
value: $(params.IMAGE_EXPIRES_AFTER)
- name: SKIP_UNUSED_STAGES
value: $(params.SKIP_UNUSED_STAGES)
- name: SOURCE_CODE_DIR
value: source
- name: SQUASH
value: $(params.SQUASH)
- name: STORAGE_DRIVER
Expand Down Expand Up @@ -286,7 +288,6 @@ spec:
update-ca-trust
fi
SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
Expand Down Expand Up @@ -494,6 +495,7 @@ spec:
-e IMAGE="$IMAGE" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
-e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
-e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
-e SQUASH="$SQUASH" \
-e STORAGE_DRIVER="$STORAGE_DRIVER" \
-e TARGET_STAGE="$TARGET_STAGE" \
Expand Down Expand Up @@ -562,7 +564,7 @@ spec:
export IMAGE
fi
echo "Running syft on the source directory"
syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
syft dir:/var/workdir/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=/var/workdir/sbom-source.json
echo "Running syft on the image filesystem"
syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
volumeMounts:
Expand Down
6 changes: 4 additions & 2 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@ spec:
value: $(params.STORAGE_DRIVER)
- name: HERMETIC
value: $(params.HERMETIC)
- name: SOURCE_CODE_DIR
value: source
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
Expand Down Expand Up @@ -268,7 +270,6 @@ spec:
update-ca-trust
fi
SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
Expand Down Expand Up @@ -467,6 +468,7 @@ spec:
-e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
-e STORAGE_DRIVER="$STORAGE_DRIVER" \
-e HERMETIC="$HERMETIC" \
-e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
-e CONTEXT="$CONTEXT" \
-e DOCKERFILE="$DOCKERFILE" \
-e IMAGE="$IMAGE" \
Expand Down Expand Up @@ -544,7 +546,7 @@ spec:
export IMAGE
fi
echo "Running syft on the source directory"
syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
syft dir:$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
echo "Running syft on the image filesystem"
syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
volumeMounts:
Expand Down
5 changes: 3 additions & 2 deletions task/buildah/0.2/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ spec:
value: $(params.STORAGE_DRIVER)
- name: HERMETIC
value: $(params.HERMETIC)
- name: SOURCE_CODE_DIR
value: source
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
Expand Down Expand Up @@ -188,7 +190,6 @@ spec:
update-ca-trust
fi
SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
Expand Down Expand Up @@ -408,7 +409,7 @@ spec:
cpu: 500m
script: |
echo "Running syft on the source directory"
syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
syft dir:$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
echo "Running syft on the image filesystem"
syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
volumeMounts:
Expand Down

0 comments on commit d9d264b

Please sign in to comment.