From ec7be1f32a54ecd0dd000dc926b4d12853f898ed Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Tue, 24 Sep 2024 13:50:33 +0200 Subject: [PATCH] buildah: address uncovered checkton warnings The '... -t $IMAGE' line changed, making checkton report the violations on this line: - $IMAGE needs quotes (valid) - $IMAGE is a potential misspelling of $image (not valid, IMAGE is defined externally but checkton doesn't know that) Signed-off-by: Adam Cmiel --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 7 +++++-- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 7 +++++-- task/buildah-remote/0.2/buildah-remote.yaml | 7 +++++-- task/buildah/0.2/buildah.yaml | 7 +++++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 9417866bc5..da12de8be5 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -417,15 +417,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_copy" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index af241b79ee..e7e2ef6fa6 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -452,15 +452,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_copy" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 10beea6746..939f645a3d 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -434,15 +434,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_copy" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 602a1ad82f..e7238fac30 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -354,15 +354,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_copy" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete