From ca94952c145a4224b6a9630ac4f8200f041ba22a Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Wed, 18 Jan 2023 10:54:56 -0500
Subject: [PATCH] remove 'ko deps'

---
 .github/workflows/kind-e2e.yaml |  14 +--
 .github/workflows/sbom.yaml     |  38 ++------
 pkg/commands/commands.go        |   1 -
 pkg/commands/deps.go            | 160 --------------------------------
 4 files changed, 7 insertions(+), 206 deletions(-)
 delete mode 100644 pkg/commands/deps.go

diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml
index fe35427150..3f0696db73 100644
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@@ -59,23 +59,11 @@ jobs:
       run: |
         set -o pipefail
 
-        IMAGE=$(ko build ./test)
-        SBOM=$(cosign download sbom ${IMAGE})
-        KO_DEPS=$(ko deps ${IMAGE})
-
         echo '::group:: SBOM'
+        cosign download sbom $(ko build ./test)
         echo "${SBOM}"
         echo '::endgroup::'
 
-        echo '::group:: ko deps'
-        echo "${KO_DEPS}"
-        echo '::endgroup::'
-
-        if [ "${SBOM}" != "${KO_DEPS}" ] ; then
-          echo Wanted SBOM and 'ko deps' to match, got differences!
-          exit 1
-        fi
-
     - name: Collect diagnostics and upload
       if: ${{ failure() }}
       uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml
index 928802c77e..6f0a98e71c 100644
--- a/.github/workflows/sbom.yaml
+++ b/.github/workflows/sbom.yaml
@@ -8,27 +8,6 @@ env:
   SPDX_TOOLS_VERSION: 1.1.0
 
 jobs:
-  go-version-m:
-    name: Generate go version -m
-    runs-on: ubuntu-latest
-
-    env:
-      KO_DOCKER_REPO: localhost:1338
-
-    steps:
-      - uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-          check-latest: true
-      - uses: chainguard-dev/actions/setup-registry@main
-      - uses: actions/checkout@v3
-
-      - name: Generate
-        run: |
-          img=$(go run ./ build ./)
-          go run ./ deps $img --sbom=go.version-m > gomod.txt
-          cat gomod.txt
-
   cyclonedx:
     name: Validate CycloneDX SBOM
     runs-on: ubuntu-latest
@@ -42,6 +21,7 @@ jobs:
           go-version: 1.18
           check-latest: true
       - uses: chainguard-dev/actions/setup-registry@main
+      - uses: sigstore/cosign-installer@v2.8.1
       - uses: actions/checkout@v3
 
       - name: Install CycloneDX
@@ -51,8 +31,7 @@ jobs:
 
       - name: Generate and Validate
         run: |
-          img=$(go run ./ build ./)
-          go run ./ deps $img --sbom=cyclonedx > cyclonedx.json
+          cosign download sbom $(go run ./ build --sbom=cyclonedx) | tee cyclonedx.json
           ./cyclonedx-linux-x64 validate --input-file=cyclonedx.json --fail-on-errors
 
       - uses: actions/upload-artifact@v3
@@ -74,6 +53,7 @@ jobs:
           go-version: 1.18
           check-latest: true
       - uses: chainguard-dev/actions/setup-registry@main
+      - uses: sigstore/cosign-installer@v2.8.1
       - uses: actions/checkout@v3
 
       - name: Install SPDX Tools
@@ -83,9 +63,7 @@ jobs:
 
       - name: Generate and Validate
         run: |
-          img=$(go run ./ build ./)
-          go run ./ deps $img --sbom=spdx | tee spdx.json
-
+          cosign download sbom $(go run ./ build) | tee spdx.json
           java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx.json
 
       - uses: actions/upload-artifact@v3
@@ -107,6 +85,7 @@ jobs:
           go-version: 1.18
           check-latest: true
       - uses: chainguard-dev/actions/setup-registry@main
+      - uses: sigstore/cosign-installer@v2.8.1
       - uses: actions/checkout@v3
 
       - name: Install SPDX Tools
@@ -114,14 +93,9 @@ jobs:
           wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
           unzip tools-java-${SPDX_TOOLS_VERSION}.zip
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v2.8.1
-        with:
-          cosign-release: 'v1.7.2'
-
       - name: Generate and Validate
         run: |
-          img=$(go run ./ build --platform=linux/amd64,linux/arm64 ./)
+          img=$(go run ./ build --platform=linux/amd64,linux/arm64)
           cosign download sbom $img | tee spdx-multi-arch.json
 
           java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx-multi-arch.json
diff --git a/pkg/commands/commands.go b/pkg/commands/commands.go
index f0d4289cfb..b3405e5c89 100644
--- a/pkg/commands/commands.go
+++ b/pkg/commands/commands.go
@@ -31,7 +31,6 @@ func AddKubeCommands(topLevel *cobra.Command) {
 	addResolve(topLevel)
 	addBuild(topLevel)
 	addRun(topLevel)
-	addDeps(topLevel)
 }
 
 // check if kubectl is installed
diff --git a/pkg/commands/deps.go b/pkg/commands/deps.go
deleted file mode 100644
index a4d71c0076..0000000000
--- a/pkg/commands/deps.go
+++ /dev/null
@@ -1,160 +0,0 @@
-// Copyright 2021 Google LLC All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package commands
-
-import (
-	"archive/tar"
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1/mutate"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/google/ko/internal/sbom"
-	"github.com/sigstore/cosign/v2/pkg/oci/signed"
-	"github.com/spf13/cobra"
-)
-
-// addDeps augments our CLI surface with deps.
-func addDeps(topLevel *cobra.Command) {
-	var sbomType string
-	deps := &cobra.Command{
-		Use:   "deps IMAGE",
-		Short: "Print Go module dependency information about the ko-built binary in the image",
-		Long: `This sub-command finds and extracts the executable binary in the image, assuming it was built by ko, and prints information about the Go module dependencies of that executable, as reported by "go version -m".
-
-If the image was not built using ko, or if it was built without embedding dependency information, this command will fail.`,
-		Example: `
-  # Fetch and extract Go dependency information from an image:
-  ko deps docker.io/my-user/my-image:v3`,
-		Args:       cobra.ExactArgs(1),
-		Deprecated: "SBOMs are generated and uploaded by default; this command will be removed in a future release.",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := cmd.Context()
-
-			switch sbomType {
-			case "cyclonedx", "spdx", "go.version-m":
-			default:
-				return fmt.Errorf("invalid sbom type %q: must be spdx, cyclonedx or go.version-m", sbomType)
-			}
-
-			ref, err := name.ParseReference(args[0])
-			if err != nil {
-				return err
-			}
-
-			img, err := remote.Image(ref,
-				remote.WithContext(ctx),
-				remote.WithAuthFromKeychain(keychain),
-				remote.WithUserAgent(ua()))
-			if err != nil {
-				return err
-			}
-
-			cfg, err := img.ConfigFile()
-			if err != nil {
-				return err
-			}
-			ep := cfg.Config.Entrypoint
-			if len(ep) != 1 {
-				return fmt.Errorf("unexpected entrypoint: %s", ep)
-			}
-			bin := ep[0]
-
-			rc := mutate.Extract(img)
-			defer rc.Close()
-			tr := tar.NewReader(rc)
-			for {
-				// Stop reading if the context is cancelled.
-				select {
-				case <-ctx.Done():
-					return ctx.Err()
-				default:
-					// keep reading.
-				}
-				h, err := tr.Next()
-				if errors.Is(err, io.EOF) {
-					return fmt.Errorf("no ko-built executable named %q found", bin)
-				}
-				if err != nil {
-					return err
-				}
-
-				if h.Typeflag != tar.TypeReg {
-					continue
-				}
-				if h.Name != bin {
-					continue
-				}
-
-				tmp, err := ioutil.TempFile("", filepath.Base(filepath.Clean(h.Name)))
-				if err != nil {
-					return err
-				}
-				n := tmp.Name()
-				defer os.RemoveAll(n) // best effort: remove tmp file afterwards.
-				defer tmp.Close()     // close it first.
-				// io.LimitReader to appease gosec...
-				if _, err := io.Copy(tmp, io.LimitReader(tr, h.Size)); err != nil {
-					return err
-				}
-				if err := os.Chmod(n, os.FileMode(h.Mode)); err != nil {
-					return err
-				}
-				cmd := exec.CommandContext(ctx, "go", "version", "-m", n)
-				var buf bytes.Buffer
-				cmd.Stdout = &buf
-				cmd.Stderr = os.Stderr
-				if err := cmd.Run(); err != nil {
-					return err
-				}
-				// In order to get deterministics SBOMs replace
-				// our randomized file name with the path the
-				// app will get inside of the container.
-				mod := bytes.Replace(buf.Bytes(),
-					[]byte(n),
-					[]byte(path.Join("/ko-app", filepath.Base(filepath.Clean(h.Name)))),
-					1)
-				switch sbomType {
-				case "spdx":
-					b, err := sbom.GenerateImageSPDX(Version, mod, signed.Image(img))
-					if err != nil {
-						return err
-					}
-					io.Copy(os.Stdout, bytes.NewReader(b))
-				case "cyclonedx":
-					b, err := sbom.GenerateImageCycloneDX(mod)
-					if err != nil {
-						return err
-					}
-					io.Copy(os.Stdout, bytes.NewReader(b))
-				case "go.version-m":
-					io.Copy(os.Stdout, bytes.NewReader(mod))
-				}
-				return nil
-			}
-			// unreachable
-		},
-	}
-	deps.Flags().StringVar(&sbomType, "sbom", "spdx", "Format for SBOM output (supports: spdx, cyclonedx, go.version-m).")
-	topLevel.AddCommand(deps)
-}