From 1e0cdfe87ac6593294880909f029fa62537b439a Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Sat, 31 Aug 2024 11:44:39 +0200 Subject: [PATCH] feat(docker): Replace Syft for Docker own Scout SBOM generator Docker offers now a method to generate embedded SBOM files using Docker Scout. The underlying engine for this process is same Syft as before. You can see details on [1]. Embedded SBOMS in the images can be verified using `docker buildx imagetools inspect`, as mentioned in [2]. [1]: https://docs.docker.com/build/metadata/attestations/sbom/#sbom-generator [2]: https://docs.docker.com/build/metadata/attestations/sbom/#inspecting-sboms Signed-off-by: Helio Chissini de Castro --- .github/workflows/docker-build.yml | 3 +++ Dockerfile | 30 ------------------------- NOTICE | 1 + scripts/docker_snippets/android.snippet | 1 - scripts/docker_snippets/dart.snippet | 1 - scripts/docker_snippets/dotnet.snippet | 1 - scripts/docker_snippets/haskell.snippet | 2 -- scripts/docker_snippets/php.snippet | 2 -- scripts/docker_snippets/sbt.snippet | 1 - scripts/docker_snippets/swift.snippet | 1 - 10 files changed, 4 insertions(+), 39 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 16ea5a034f398..e0bc2c683f4a3 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -63,6 +63,7 @@ jobs: cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache,mode=max build-args: ORT_VERSION=${{ env.ORT_VERSION }} + sbom: true - name: Build 'ort' Docker Image if: ${{ github.event_name == 'pull_request' }} uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6 @@ -72,6 +73,7 @@ jobs: labels: ${{ steps.meta-ort.outputs.labels }} cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache build-args: ORT_VERSION=${{ env.ORT_VERSION }} + sbom: true - name: Extract Metadata for 'ort-minimal' Docker Image id: meta-ort-minimal uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 @@ -96,5 +98,6 @@ jobs: target: minimal cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache build-args: ORT_VERSION=${{ env.ORT_VERSION }} + sbom: true - name: Print Disk Space run: df -h diff --git a/Dockerfile b/Dockerfile index 78896dddf1b48..d56d9155fdc0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -107,12 +107,6 @@ COPY "$CRT_FILES" /tmp/certificates/ RUN /etc/scripts/export_proxy_certificates.sh /tmp/certificates/ \ && /etc/scripts/import_certificates.sh /tmp/certificates/ -# Add Syft to use as primary SPDX Docker scanner -# Create docs dir to store future SPDX files -RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin \ - && mkdir -p /usr/share/doc/ort \ - && chown $USER:$USER /usr/share/doc/ort - USER $USER WORKDIR $HOME @@ -468,20 +462,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ subversion \ && sudo rm -rf /var/lib/apt/lists/* -RUN syft / --exclude '*/usr/share/doc' --exclude '*/etc' -o spdx-json --output json=/usr/share/doc/ort/ort-base.spdx.json - # Python ENV PYENV_ROOT=/opt/python ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin COPY --from=python --chown=$USER:$USER $PYENV_ROOT $PYENV_ROOT -RUN syft $PYENV_ROOT -o spdx-json --output json=/usr/share/doc/ort/ort-python.spdx.json # NodeJS ARG NODEJS_VERSION ENV NVM_DIR=/opt/nvm ENV PATH=$PATH:$NVM_DIR/versions/node/v$NODEJS_VERSION/bin COPY --from=nodejs --chown=$USER:$USER $NVM_DIR $NVM_DIR -RUN syft $NVM_DIR -o spdx-json --output json=/usr/share/doc/ort/ort-nodejs.spdx.json # Rust ENV RUST_HOME=/opt/rust @@ -490,19 +480,16 @@ ENV RUSTUP_HOME=$RUST_HOME/rustup ENV PATH=$PATH:$CARGO_HOME/bin:$RUSTUP_HOME/bin COPY --from=rust --chown=$USER:$USER $RUST_HOME $RUST_HOME RUN chmod o+rwx $CARGO_HOME -RUN syft $RUST_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-rust.spdx.json # Golang ENV PATH=$PATH:/opt/go/bin COPY --from=golang --chown=$USER:$USER /opt/go /opt/go -RUN syft /opt/go -o spdx-json --output json=/usr/share/doc/ort/ort-golang.spdx.json # Ruby ENV RBENV_ROOT=/opt/rbenv/ ENV GEM_HOME=/var/tmp/gem ENV PATH=$PATH:$RBENV_ROOT/bin:$RBENV_ROOT/shims:$RBENV_ROOT/plugins/ruby-install/bin COPY --from=ruby --chown=$USER:$USER $RBENV_ROOT $RBENV_ROOT -RUN syft $RBENV_ROOT -o spdx-json --output json=/usr/share/doc/ort/ort-ruby.spdx.json #------------------------------------------------------------------------ # Container with all supported package managers. @@ -516,30 +503,21 @@ ENV PATH=$PATH:$ANDROID_HOME/platform-tools COPY --from=android --chown=$USER:$USER $ANDROID_HOME $ANDROID_HOME RUN sudo chmod -R o+rw $ANDROID_HOME -RUN syft $ANDROID_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-android.spdx.json - # Swift ENV SWIFT_HOME=/opt/swift ENV PATH=$PATH:$SWIFT_HOME/bin COPY --from=swift --chown=$USER:$USER $SWIFT_HOME $SWIFT_HOME -RUN syft $SWIFT_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-swift.spdx.json - - # Scala ENV SBT_HOME=/opt/sbt ENV PATH=$PATH:$SBT_HOME/bin COPY --from=scala --chown=$USER:$USER $SBT_HOME $SBT_HOME -RUN syft $SBT_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-sbt.spdx.json - # Dart ENV DART_SDK=/opt/dart-sdk ENV PATH=$PATH:$DART_SDK/bin COPY --from=dart --chown=$USER:$USER $DART_SDK $DART_SDK -RUN syft $DART_SDK -o spdx-json --output json=/usr/share/doc/ort/ort-golang.dart.json - # Dotnet ENV DOTNET_HOME=/opt/dotnet ENV NUGET_INSPECTOR_HOME=$DOTNET_HOME @@ -547,8 +525,6 @@ ENV PATH=$PATH:$DOTNET_HOME:$DOTNET_HOME/tools:$DOTNET_HOME/bin COPY --from=dotnet --chown=$USER:$USER $DOTNET_HOME $DOTNET_HOME -RUN syft $DOTNET_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-dotnet.spdx.json - # PHP ARG PHP_VERSION ARG COMPOSER_VERSION @@ -567,16 +543,12 @@ RUN mkdir -p /opt/php/bin \ ENV PATH=$PATH:/opt/php/bin -RUN syft /opt/php -o spdx-json --output json=/usr/share/doc/ort/ort-php.spdx.json - # Haskell ENV HASKELL_HOME=/opt/haskell ENV PATH=$PATH:$HASKELL_HOME/bin COPY --from=haskell /opt/haskell /opt/haskell -RUN syft /opt/haskell -o spdx-json --output json=/usr/share/doc/ort/ort-haskell.spdx.json - # Bazel ENV BAZEL_HOME=/opt/bazel ENV PATH=$PATH:$BAZEL_HOME/bin @@ -584,8 +556,6 @@ ENV PATH=$PATH:$BAZEL_HOME/bin COPY --from=bazel $BAZEL_HOME $BAZEL_HOME COPY --from=bazel --chown=$USER:$USER /opt/go/bin/buildozer /opt/go/bin/buildozer -RUN syft $BAZEL_HOME -o spdx-json --output json=/usr/share/doc/ort/ort-bazel.spdx.json - #------------------------------------------------------------------------ # Runtime container with minimal selection of supported package managers pre-installed. FROM minimal-tools as minimal diff --git a/NOTICE b/NOTICE index 49cf104af1aad..f8f5351234fa9 100644 --- a/NOTICE +++ b/NOTICE @@ -16,3 +16,4 @@ Copyright (C) 2022 Google, LLC Copyright (C) 2022-2024 EPAM Systems, Inc. Copyright (C) 2023-2024 Double Open Oy Copyright (C) 2024 Robert Bosch GmbH +Copyright (C) 2024 Cariad SE diff --git a/scripts/docker_snippets/android.snippet b/scripts/docker_snippets/android.snippet index bbf9908b0fe8f..050222a73c634 100644 --- a/scripts/docker_snippets/android.snippet +++ b/scripts/docker_snippets/android.snippet @@ -23,4 +23,3 @@ ENV PATH=$PATH:$ANDROID_HOME/platform-tools COPY --from=ghcr.io/oss-review-toolkit/android --chown=$USER:$USER $ANDROID_HOME $ANDROID_HOME RUN sudo chmod -R o+rw $ANDROID_HOME -RUN syft $ANDROID_HOME -o spdx-json --file /usr/share/doc/ort/ort-android.spdx.json diff --git a/scripts/docker_snippets/dart.snippet b/scripts/docker_snippets/dart.snippet index cb6869c6cef38..5bd7ea5722580 100644 --- a/scripts/docker_snippets/dart.snippet +++ b/scripts/docker_snippets/dart.snippet @@ -19,4 +19,3 @@ ENV DART_SDK=/opt/dart-sdk ENV PATH=$PATH:$DART_SDK/bin COPY --from=ghcr.io/oss-review-toolkit/dart --chown=$USER:$USER $DART_SDK $DART_SDK -RUN syft $DART_SDK -o spdx-json --file /usr/share/doc/ort/ort-golang.dart.json diff --git a/scripts/docker_snippets/dotnet.snippet b/scripts/docker_snippets/dotnet.snippet index a5285e9fa6234..16c5b0e3305cf 100644 --- a/scripts/docker_snippets/dotnet.snippet +++ b/scripts/docker_snippets/dotnet.snippet @@ -21,4 +21,3 @@ ENV PATH=$PATH:$DOTNET_HOME:$DOTNET_HOME/tools:$DOTNET_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/dotnet --chown=$USER:$USER $DOTNET_HOME $DOTNET_HOME -RUN syft $DOTNET_HOME -o spdx-json --file /usr/share/doc/ort/ort-dotnet.spdx.json diff --git a/scripts/docker_snippets/haskell.snippet b/scripts/docker_snippets/haskell.snippet index 4594de4e4e1de..be403139b4eb0 100644 --- a/scripts/docker_snippets/haskell.snippet +++ b/scripts/docker_snippets/haskell.snippet @@ -20,5 +20,3 @@ ENV HASKELL_HOME=/opt/haskell ENV PATH=$PATH:$HASKELL_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/haskell /opt/haskell /opt/haskell - -RUN syft /opt/haskell -o spdx-json --file /usr/share/doc/ort/ort-haskell.spdx.json \ No newline at end of file diff --git a/scripts/docker_snippets/php.snippet b/scripts/docker_snippets/php.snippet index cba7338b7ea9a..1cf6bcbae5179 100644 --- a/scripts/docker_snippets/php.snippet +++ b/scripts/docker_snippets/php.snippet @@ -30,5 +30,3 @@ RUN mkdir -p /opt/php/bin \ && curl -ksS https://getcomposer.org/installer | php -- --install-dir=/opt/php/bin --filename=composer --$COMPOSER_VERSION ENV PATH=$PATH:/opt/php/bin - -RUN syft /opt/php -o spdx-json --file /usr/share/doc/ort/ort-php.spdx.json \ No newline at end of file diff --git a/scripts/docker_snippets/sbt.snippet b/scripts/docker_snippets/sbt.snippet index d73e03296cdde..4d307d303c2ae 100644 --- a/scripts/docker_snippets/sbt.snippet +++ b/scripts/docker_snippets/sbt.snippet @@ -19,4 +19,3 @@ ENV SBT_HOME=/opt/sbt ENV PATH=$PATH:$SBT_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/sbt --chown=$USER:$USER $SBT_HOME $SBT_HOME -RUN syft $SBT_HOME -o spdx-json --file /usr/share/doc/ort/ort-sbt.spdx.json diff --git a/scripts/docker_snippets/swift.snippet b/scripts/docker_snippets/swift.snippet index e4956513c53d2..a42f82267cd5a 100644 --- a/scripts/docker_snippets/swift.snippet +++ b/scripts/docker_snippets/swift.snippet @@ -19,4 +19,3 @@ ENV SWIFT_HOME=/opt/swift ENV PATH=$PATH:$SWIFT_HOME/bin COPY --from=ghcr.io/oss-review-toolkit/swift --chown=$USER:$USER $SWIFT_HOME $SWIFT_HOME -RUN syft $SWIFT_HOME -o spdx-json --file /usr/share/doc/ort/ort-swift.spdx.json