diff --git a/.syft/config.yaml b/.syft/config.yaml new file mode 100644 index 00000000..8d8ca87d --- /dev/null +++ b/.syft/config.yaml @@ -0,0 +1,2 @@ +exclude: +- "**/test-fixtures" diff --git a/Dockerfile b/Dockerfile index e922e3d5..7694e634 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,29 +1,43 @@ -FROM gcr.io/distroless/static-debian11:debug@sha256:a0a404776dec98be120089ae42bbdfbe48c177921d856937d124d48eb8c0b951 AS build +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.21 AS build -FROM scratch -# needed for version check HTTPS request -COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt +WORKDIR /src/syft + +# openshift-golang-builder sets GOFLAGS=-mod=vendor, unset it (we don't vendor dependencies) +ENV GOFLAGS="" + +COPY go.mod go.sum . +RUN go mod download + +COPY . . +RUN ./build-syft-binary.sh + +FROM registry.access.redhat.com/ubi9/ubi-micro:9.4-15@sha256:7f376b75faf8ea546f28f8529c37d24adcde33dca4103f4897ae19a43d58192b + +ENV SYFT_CHECK_FOR_APP_UPDATE=false # create the /tmp dir, which is needed for image content cache WORKDIR /tmp -COPY syft / - -ARG BUILD_DATE -ARG BUILD_VERSION -ARG VCS_REF -ARG VCS_URL +COPY --from=build /src/syft/dist/syft /usr/local/bin/syft -LABEL org.opencontainers.image.created=$BUILD_DATE LABEL org.opencontainers.image.title="syft" LABEL org.opencontainers.image.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems" -LABEL org.opencontainers.image.source=$VCS_URL -LABEL org.opencontainers.image.revision=$VCS_REF -LABEL org.opencontainers.image.vendor="Anchore, Inc." -LABEL org.opencontainers.image.version=$BUILD_VERSION +LABEL org.opencontainers.image.vendor="Red Hat, Inc." LABEL org.opencontainers.image.licenses="Apache-2.0" -LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/anchore/syft/main/README.md" -LABEL io.artifacthub.package.logo-url="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png" -LABEL io.artifacthub.package.license="Apache-2.0" -ENTRYPOINT ["/syft"] +# required per https://github.com/release-engineering/rhtap-ec-policy/blob/main/data/rule_data.yml +# TODO: set up in Bugzilla +LABEL com.redhat.component="syft" +LABEL version="1.14.0" +# TODO: document the need to bump this on every re-release of the same version +LABEL release="1" +LABEL name="syft" +LABEL io.k8s.display-name="syft" +LABEL summary="syft" +LABEL description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems" +LABEL io.k8s.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems" +LABEL vendor="Red Hat, Inc." +LABEL url="https://github.com/redhat-appstudio/rh-syft" +LABEL distribution-scope="public" + +ENTRYPOINT ["/usr/local/bin/syft"] diff --git a/build-syft-binary.sh b/build-syft-binary.sh new file mode 100755 index 00000000..f26f530b --- /dev/null +++ b/build-syft-binary.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +set -o errexit -o nounset -o pipefail + +# Roughly replicate goreleaser templating: https://goreleaser.com/customization/templates/. +# Needed for passing version information to the Syft build (see the upstream .goreleaser.yaml). + +get_version() { + local version + version=$(git describe --tags --abbrev=0) + # TODO: should we indicate the Red Hat patches in the version? + # TODO: how to version re-releases of past versions? + echo "${version#v}" # strip the 'v' prefix +} + +version=$(get_version) +full_commit=$(git rev-parse HEAD) +date="$(date --utc --iso-8601=seconds | cut -d '+' -f 1)Z" # yyyy-mm-ddThh:mm:ssZ +summary=$(git describe --dirty --always --tags) + +# command based on .goreleaser.yaml configuration +CGO_ENABLED=0 go build -ldflags " + -w + -s + -extldflags '-static' + -X main.version=$version + -X main.gitCommit=$full_commit + -X main.buildDate=$date + -X main.gitDescription=$summary +" -o dist/syft ./cmd/syft + +echo "--- output path: dist/syft ---" +dist/syft version