Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use dockerfile-add-scanner to make kernel sbom #3241

Merged
merged 1 commit into from
May 29, 2023
Merged

use dockerfile-add-scanner to make kernel sbom #3241

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 25 additions & 8 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,10 @@ BUILD_VM_SRC_amd64=https://cloud-images.ubuntu.com/focal/current/focal-server-cl
BUILD_VM_SRC=$(BUILD_VM_SRC_$(ZARCH))

UNAME_S := $(shell uname -s)
UNAME_S_LCASE=$(shell uname -s | tr '[A-Z]' '[a-z]')

# store the goos for local, as an easier-to-reference var
LOCAL_GOOS=$(UNAME_S_LCASE)

USER = $(shell id -u -n)
GROUP = $(shell id -g -n)
Expand Down Expand Up @@ -204,10 +208,10 @@ QEMU_ACCEL_Y_Darwin_amd64=-machine q35,accel=hvf,usb=off -cpu kvm64,kvmclock=off
QEMU_ACCEL_Y_Linux_amd64=-machine q35,accel=kvm,usb=off,dump-guest-core=off -cpu host,invtsc=on,kvmclock=off -machine kernel-irqchip=split -device intel-iommu,intremap=on,caching-mode=on,aw-bits=48
# -machine virt,gic_version=3
QEMU_ACCEL_Y_Linux_arm64=-machine virt,accel=kvm,usb=off,dump-guest-core=off -cpu host
QEMU_ACCEL__$(shell uname -s)_arm64=-machine virt,virtualization=true -cpu cortex-a57
QEMU_ACCEL__$(shell uname -s)_amd64=-machine q35 -cpu SandyBridge
QEMU_ACCEL__$(shell uname -s)_riscv64=-machine virt -cpu rv64
QEMU_ACCEL:=$(QEMU_ACCEL_$(ACCEL:%=Y)_$(shell uname -s)_$(ZARCH))
QEMU_ACCEL__$(UNAME_S)_arm64=-machine virt,virtualization=true -cpu cortex-a57
QEMU_ACCEL__$(UNAME_S)_amd64=-machine q35 -cpu SandyBridge
QEMU_ACCEL__$(UNAME_S)_riscv64=-machine virt -cpu rv64
QEMU_ACCEL:=$(QEMU_ACCEL_$(ACCEL:%=Y)_$(UNAME_S)_$(ZARCH))

QEMU_OPTS_NET1=192.168.1.0/24
QEMU_OPTS_NET1_FIRST_IP=192.168.1.10
Expand Down Expand Up @@ -292,6 +296,10 @@ RESCAN_DEPS=FORCE
# set FORCE_BUILD to --force to enforce rebuild
FORCE_BUILD=

# for the dockerfile-add-scanner
DOCKERFILE_ADD_SCANNER=$(BUILDTOOLS_BIN)/dockerfile-add-scanner
DOCKERFILE_ADD_SCANNER_SOURCE=./tools/dockerfile-add-scanner

# for the go build sources
GOSOURCES=$(BUILDTOOLS_BIN)/go-sources-and-licenses
GOSOURCES_VERSION=c73009667f4871c084c1f2164063321c81d053a2
Expand All @@ -302,7 +310,7 @@ GOSOURCES_SOURCE=github.com/deitch/go-sources-and-licenses
COMPARESOURCES=$(BUILDTOOLS_BIN)/compare-sbom-sources
COMPARE_SOURCE=./tools/compare-sbom-sources

SYFT_VERSION:=v0.78.0
SYFT_VERSION:=v0.82.0
SYFT_IMAGE:=docker.io/anchore/syft:$(SYFT_VERSION)

# we use the following block to assign correct tag to the Docker registry artifact
Expand Down Expand Up @@ -636,7 +644,7 @@ sbom_info:
collected_sources_info:
@echo "$(COLLECTED_SOURCES)"

$(SBOM): $(ROOTFS_TAR)| $(INSTALLER)
$(SBOM): $(ROOTFS_TAR) $(DOCKERFILE_ADD_SCANNER)| $(INSTALLER)
$(QUIET): $@: Begin
$(eval TMP_ROOTDIR := $(shell mktemp -d))
# this is a bit of a hack, but we need to extract the rootfs tar to a directory, and it fails if
Expand All @@ -645,6 +653,8 @@ $(SBOM): $(ROOTFS_TAR)| $(INSTALLER)
# this all can go away, and we can read the rootfs.tar
# see https://github.com/anchore/syft/issues/1400
tar xf $< -C $(TMP_ROOTDIR) --exclude "dev/*"
# we need to generate the kernel sbom, because syft would give a completely different structure
$(DOCKERFILE_ADD_SCANNER) scan ./pkg/kernel/Dockerfile --format spdx-json > $(TMP_ROOTDIR)/kernel-sbom.spdx.json
docker run -v $(TMP_ROOTDIR):/rootdir:ro -v $(CURDIR)/.syft.yaml:/syft.yaml:ro $(SYFT_IMAGE) -c /syft.yaml /rootdir > $@
rm -rf $(TMP_ROOTDIR)
$(QUIET): $@: Succeeded
Expand All @@ -666,10 +676,17 @@ $(COLLECTED_SOURCES): $(ROOTFS_TAR) $(GOSOURCES)| $(INSTALLER) $(SOURCES_DIR)

$(COMPARESOURCES):
$(QUIET): $@: Begin
GOOS=$(shell uname -s | tr '[A-Z]' '[a-z]') CGO_ENABLED=0 go build -o $(COMPARESOURCES) -C $(COMPARE_SOURCE)
GOOS=$(LOCAL_GOOS) CGO_ENABLED=0 go build -o $(COMPARESOURCES) -C $(COMPARE_SOURCE)
@echo Done building packages
$(QUIET): $@: Succeeded

$(DOCKERFILE_ADD_SCANNER):
$(QUIET): $@: Begin
GOOS=$(LOCAL_GOOS) CGO_ENABLED=0 go build -o $@ -C $(DOCKERFILE_ADD_SCANNER_SOURCE)
@echo Done building dockerfile-add-scanner
$(QUIET): $@: Succeeded


compare_sbom_collected_sources: $(COLLECTED_SOURCES) $(SBOM) | $(COMPARESOURCES)
$(QUIET): $@: Begin
$(COMPARESOURCES) $(COLLECTED_SOURCES):./collected_sources_manifest.csv $(SBOM)
Expand Down Expand Up @@ -846,7 +863,7 @@ $(LINUXKIT).$(LINUXKIT_VERSION):
@rm -rf $(LINUXKIT)*
@touch $(LINUXKIT).$(LINUXKIT_VERSION)
# build linuxkit for the host OS, not the container OS
$(LINUXKIT): GOOS=$(shell uname -s | tr '[A-Z]' '[a-z]')
$(LINUXKIT): GOOS=$(LOCAL_GOOS)
$(LINUXKIT): $(LINUXKIT).$(LINUXKIT_VERSION)
$(LINUXKIT): | $(GOBUILDER)
$(QUIET)$(DOCKER_GO) \
Expand Down