Apply Red Hat specific modifications

Signed-off-by: downstream-sync <[email protected]>

Author: downstream-sync

.syft/config.yaml

@@ -0,0 +1,2 @@
+exclude:
+- "**/test-fixtures"

Dockerfile

@@ -1,29 +1,43 @@
-FROM gcr.io/distroless/static-debian11:debug@sha256:a0a404776dec98be120089ae42bbdfbe48c177921d856937d124d48eb8c0b951 AS build
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.21 AS build
 
-FROM scratch
-# needed for version check HTTPS request
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+WORKDIR /src/syft
+
+# openshift-golang-builder sets GOFLAGS=-mod=vendor, unset it (we don't vendor dependencies)
+ENV GOFLAGS=""
+
+COPY go.mod go.sum .
+RUN go mod download
+
+COPY . .
+RUN ./build-syft-binary.sh
+
+FROM registry.access.redhat.com/ubi9/ubi-micro:9.4-6.1716471860@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d
+
+ENV SYFT_CHECK_FOR_APP_UPDATE=false
 
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp
 
-COPY syft /
-
-ARG BUILD_DATE
-ARG BUILD_VERSION
-ARG VCS_REF
-ARG VCS_URL
+COPY --from=build /src/syft/dist/syft /usr/local/bin/syft
 
-LABEL org.opencontainers.image.created=$BUILD_DATE
 LABEL org.opencontainers.image.title="syft"
 LABEL org.opencontainers.image.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems"
-LABEL org.opencontainers.image.source=$VCS_URL
-LABEL org.opencontainers.image.revision=$VCS_REF
-LABEL org.opencontainers.image.vendor="Anchore, Inc."
-LABEL org.opencontainers.image.version=$BUILD_VERSION
+LABEL org.opencontainers.image.vendor="Red Hat, Inc."
 LABEL org.opencontainers.image.licenses="Apache-2.0"
-LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/anchore/syft/main/README.md"
-LABEL io.artifacthub.package.logo-url="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png"
-LABEL io.artifacthub.package.license="Apache-2.0"
 
-ENTRYPOINT ["/syft"]
+# required per https://github.com/release-engineering/rhtap-ec-policy/blob/main/data/rule_data.yml
+# TODO: set up in Bugzilla
+LABEL com.redhat.component="syft"
+LABEL version="1.8.0"
+# TODO: document the need to bump this on every re-release of the same version
+LABEL release="1"
+LABEL name="syft"
+LABEL io.k8s.display-name="syft"
+LABEL summary="syft"
+LABEL description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems"
+LABEL io.k8s.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems"
+LABEL vendor="Red Hat, Inc."
+LABEL url="https://github.com/redhat-appstudio/rh-syft"
+LABEL distribution-scope="public"
+
+ENTRYPOINT ["/usr/local/bin/syft"]

build-syft-binary.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -o errexit -o nounset -o pipefail
+
+# Roughly replicate goreleaser templating: https://goreleaser.com/customization/templates/.
+# Needed for passing version information to the Syft build (see the upstream .goreleaser.yaml).
+
+get_version() {
+    local version
+    version=$(git describe --tags --abbrev=0)
+    # TODO: should we indicate the Red Hat patches in the version?
+    # TODO: how to version re-releases of past versions?
+    echo "${version#v}"  # strip the 'v' prefix
+}
+
+version=$(get_version)
+full_commit=$(git rev-parse HEAD)
+date="$(date --utc --iso-8601=seconds | cut -d '+' -f 1)Z"  # yyyy-mm-ddThh:mm:ssZ
+summary=$(git describe --dirty --always --tags)
+
+# command based on .goreleaser.yaml configuration
+CGO_ENABLED=0 go build -ldflags "
+  -w
+  -s
+  -extldflags '-static'
+  -X main.version=$version
+  -X main.gitCommit=$full_commit
+  -X main.buildDate=$date
+  -X main.gitDescription=$summary
+" -o dist/syft ./cmd/syft
+
+echo "--- output path: dist/syft ---"
+dist/syft version