From d9d264be9f07d92b465978ac2790a91b70ea9d37 Mon Sep 17 00:00:00 2001 From: arewm Date: Thu, 26 Sep 2024 15:03:52 -0400 Subject: [PATCH] fix(KFLUXBUGS-1666): Only analyze build context for dependencies When generating the SBOM, we do not constrain the source analysis to the build context. This can result in many additional dependencies being included than should be. Signed-off-by: arewm --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 5 +++-- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 6 ++++-- task/buildah-remote/0.2/buildah-remote.yaml | 6 ++++-- task/buildah/0.2/buildah.yaml | 5 +++-- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 133df7524f..bc41fc7c09 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -195,6 +195,8 @@ spec: value: $(params.IMAGE_EXPIRES_AFTER) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: SOURCE_CODE_DIR + value: source - name: SQUASH value: $(params.SQUASH) - name: STORAGE_DRIVER @@ -251,7 +253,6 @@ spec: update-ca-trust fi - SOURCE_CODE_DIR=source if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then @@ -459,7 +460,7 @@ spec: name: shared script: | echo "Running syft on the source directory" - syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json + syft dir:/var/workdir/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=/var/workdir/sbom-source.json echo "Running syft on the image filesystem" syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json computeResources: diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 24743cc0b1..11e658221b 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -176,6 +176,8 @@ spec: value: $(params.IMAGE_EXPIRES_AFTER) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: SOURCE_CODE_DIR + value: source - name: SQUASH value: $(params.SQUASH) - name: STORAGE_DRIVER @@ -286,7 +288,6 @@ spec: update-ca-trust fi - SOURCE_CODE_DIR=source if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then @@ -494,6 +495,7 @@ spec: -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \ -e SQUASH="$SQUASH" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e TARGET_STAGE="$TARGET_STAGE" \ @@ -562,7 +564,7 @@ spec: export IMAGE fi echo "Running syft on the source directory" - syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json + syft dir:/var/workdir/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=/var/workdir/sbom-source.json echo "Running syft on the image filesystem" syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json volumeMounts: diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 2d5a682359..501b4eba6a 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -149,6 +149,8 @@ spec: value: $(params.STORAGE_DRIVER) - name: HERMETIC value: $(params.HERMETIC) + - name: SOURCE_CODE_DIR + value: source - name: CONTEXT value: $(params.CONTEXT) - name: DOCKERFILE @@ -268,7 +270,6 @@ spec: update-ca-trust fi - SOURCE_CODE_DIR=source if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then @@ -467,6 +468,7 @@ spec: -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e HERMETIC="$HERMETIC" \ + -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \ -e CONTEXT="$CONTEXT" \ -e DOCKERFILE="$DOCKERFILE" \ -e IMAGE="$IMAGE" \ @@ -544,7 +546,7 @@ spec: export IMAGE fi echo "Running syft on the source directory" - syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json + syft dir:$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json echo "Running syft on the image filesystem" syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json volumeMounts: diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 96561dfd76..c23b47f78a 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -130,6 +130,8 @@ spec: value: $(params.STORAGE_DRIVER) - name: HERMETIC value: $(params.HERMETIC) + - name: SOURCE_CODE_DIR + value: source - name: CONTEXT value: $(params.CONTEXT) - name: DOCKERFILE @@ -188,7 +190,6 @@ spec: update-ca-trust fi - SOURCE_CODE_DIR=source if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then @@ -408,7 +409,7 @@ spec: cpu: 500m script: | echo "Running syft on the source directory" - syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json + syft dir:$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json echo "Running syft on the image filesystem" syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json volumeMounts: