From 6f4ae836406b010948f01fbcb400a31dca4fdf52 Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Tue, 3 Oct 2023 15:59:53 -0400 Subject: [PATCH] Added inline SBOM for binaries downloaded outside package manager --- .gitignore | 1 + 11/alpine3.17/Dockerfile | 4 +++- 11/alpine3.18/Dockerfile | 4 +++- 12/alpine3.17/Dockerfile | 4 +++- 12/alpine3.18/Dockerfile | 4 +++- 13/alpine3.17/Dockerfile | 4 +++- 13/alpine3.18/Dockerfile | 4 +++- 14/alpine3.17/Dockerfile | 4 +++- 14/alpine3.18/Dockerfile | 4 +++- 15/alpine3.17/Dockerfile | 4 +++- 15/alpine3.18/Dockerfile | 4 +++- 16/alpine3.17/Dockerfile | 4 +++- 16/alpine3.18/Dockerfile | 4 +++- Dockerfile-alpine.template | 16 +++++++++++++++- apply-templates.sh | 5 +++++ 15 files changed, 57 insertions(+), 13 deletions(-) diff --git a/.gitignore b/.gitignore index d548f66de0..2a4a211b89 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .jq-template.awk +template-helper-functions.jq diff --git a/11/alpine3.17/Dockerfile b/11/alpine3.17/Dockerfile index 7730ab0be3..ba083fd7da 100644 --- a/11/alpine3.17/Dockerfile +++ b/11/alpine3.17/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.17 # 70 is the standard uid/gid for "postgres" in Alpine @@ -151,7 +152,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"11.21","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@11.21?os_name=alpine&os_version=3.17"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/11/alpine3.18/Dockerfile b/11/alpine3.18/Dockerfile index 7de4f4ab5c..0c2fdd7d16 100644 --- a/11/alpine3.18/Dockerfile +++ b/11/alpine3.18/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.18 # 70 is the standard uid/gid for "postgres" in Alpine @@ -151,7 +152,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"11.21","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@11.21?os_name=alpine&os_version=3.18"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/12/alpine3.17/Dockerfile b/12/alpine3.17/Dockerfile index 19e3d03e14..257b372eba 100644 --- a/12/alpine3.17/Dockerfile +++ b/12/alpine3.17/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.17 # 70 is the standard uid/gid for "postgres" in Alpine @@ -151,7 +152,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"12.16","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@12.16?os_name=alpine&os_version=3.17"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/12/alpine3.18/Dockerfile b/12/alpine3.18/Dockerfile index ae9b2ad48a..1669e4f377 100644 --- a/12/alpine3.18/Dockerfile +++ b/12/alpine3.18/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.18 # 70 is the standard uid/gid for "postgres" in Alpine @@ -151,7 +152,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"12.16","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@12.16?os_name=alpine&os_version=3.18"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/13/alpine3.17/Dockerfile b/13/alpine3.17/Dockerfile index 8d9822dd8d..9510d10f56 100644 --- a/13/alpine3.17/Dockerfile +++ b/13/alpine3.17/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.17 # 70 is the standard uid/gid for "postgres" in Alpine @@ -151,7 +152,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"13.12","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@13.12?os_name=alpine&os_version=3.17"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/13/alpine3.18/Dockerfile b/13/alpine3.18/Dockerfile index 179639fa0f..119d0ce90d 100644 --- a/13/alpine3.18/Dockerfile +++ b/13/alpine3.18/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.18 # 70 is the standard uid/gid for "postgres" in Alpine @@ -151,7 +152,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"13.12","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@13.12?os_name=alpine&os_version=3.18"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/14/alpine3.17/Dockerfile b/14/alpine3.17/Dockerfile index 8953fca701..a814f6d12e 100644 --- a/14/alpine3.17/Dockerfile +++ b/14/alpine3.17/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.17 # 70 is the standard uid/gid for "postgres" in Alpine @@ -154,7 +155,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"14.9","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@14.9?os_name=alpine&os_version=3.17"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/14/alpine3.18/Dockerfile b/14/alpine3.18/Dockerfile index d349333c0a..2b6788066a 100644 --- a/14/alpine3.18/Dockerfile +++ b/14/alpine3.18/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.18 # 70 is the standard uid/gid for "postgres" in Alpine @@ -154,7 +155,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"14.9","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@14.9?os_name=alpine&os_version=3.18"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/15/alpine3.17/Dockerfile b/15/alpine3.17/Dockerfile index cfab85a8e4..3dfb914b27 100644 --- a/15/alpine3.17/Dockerfile +++ b/15/alpine3.17/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.17 # 70 is the standard uid/gid for "postgres" in Alpine @@ -157,7 +158,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"15.4","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@15.4?os_name=alpine&os_version=3.17"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/15/alpine3.18/Dockerfile b/15/alpine3.18/Dockerfile index f54cd720ff..560e8d644b 100644 --- a/15/alpine3.18/Dockerfile +++ b/15/alpine3.18/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.18 # 70 is the standard uid/gid for "postgres" in Alpine @@ -157,7 +158,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"15.4","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@15.4?os_name=alpine&os_version=3.18"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/16/alpine3.17/Dockerfile b/16/alpine3.17/Dockerfile index 0b00e1d491..5863fd58d3 100644 --- a/16/alpine3.17/Dockerfile +++ b/16/alpine3.17/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.17 # 70 is the standard uid/gid for "postgres" in Alpine @@ -156,7 +157,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"16.0","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@16.0?os_name=alpine&os_version=3.17"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/16/alpine3.18/Dockerfile b/16/alpine3.18/Dockerfile index 7d21a33740..94437870d5 100644 --- a/16/alpine3.18/Dockerfile +++ b/16/alpine3.18/Dockerfile @@ -4,6 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # + FROM alpine:3.18 # 70 is the standard uid/gid for "postgres" in Alpine @@ -156,7 +157,8 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"postgres-sbom","packages":[{"name":"postgres","versionInfo":"16.0","SPDXID":"SPDXRef-Package--postgres","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/postgres@16.0?os_name=alpine&os_version=3.18"}],"licenseDeclared":"PostgreSQL"}]}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index c581fe0ecf..0548c0126a 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -1,3 +1,4 @@ +{{ include "template-helper-functions" }} FROM alpine:{{ env.variant | ltrimstr("alpine") }} # 70 is the standard uid/gid for "postgres" in Alpine @@ -164,7 +165,20 @@ RUN set -eux; \ /usr/local/share/doc \ /usr/local/share/man \ ; \ - \ + echo '{{ + { + name: "postgres", + version: .version, + params: { + os_name: "alpine", + os_version: env.variant | ltrimstr("alpine"), + }, + licenses: [ + "PostgreSQL" + ] + } | sbom | tostring + }}' > /usr/local/postgres.spdx.json \ + ; \ postgres --version # make the sample config easier to munge (and "correct by default") diff --git a/apply-templates.sh b/apply-templates.sh index 31eb541934..7b6dc1763d 100755 --- a/apply-templates.sh +++ b/apply-templates.sh @@ -13,6 +13,11 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk' fi +jqf='template-helper-functions.jq' +if [ "$BASH_SOURCE" -nt "$jqf" ]; then + wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq' +fi + if [ "$#" -eq 0 ]; then versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)" eval "set -- $versions"