Skip to content

Commit

Permalink
task/buildah: respect user config for Syft
Browse files Browse the repository at this point in the history 
STONEBLD-2095

Syft makes many things configurable:
https://github.com/anchore/syft#configuration

For example, users can take advantage of this to get rid of false
positives. This will be useful for the Syft build itself:
redhat-appstudio/rh-syft#21

Currently, our SBOM generation does not respect the user configuration.
Syft reads the config from the current working directory, not from the
target directory (anchore/syft#2465).

Set the working directory to the root of the user's repository to ensure
we respect the configuration.

---

This also allows the user to - intentionally or otherwise - exclude
packages that should be reported, causing false negatives. That seems
like an acceptable tradeoff, given that:

* For hermetic builds, the SBOM should still report everything that got
  in from outside, regardless of Syft configuration.
* We should assume some level of co-operation from the user, we don't
  have to design accurate SBOMs for users that actively sabotage the
  proces

Signed-off-by: Adam Cmiel <[email protected]>
  • Loading branch information
@chmeliik
chmeliik committed Mar 6, 2024
1 parent 3a65329 commit 5fba3d7
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions task/buildah-remote/0.1/buildah-remote.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,7 @@ spec:
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
workingDir: $(workspaces.source.path)/source
- computeResources: {}
image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
name: analyse-dependencies-java-sbom
Expand Down
3 changes: 3 additions & 0 deletions task/buildah/0.1/buildah.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,9 @@ spec:

- name: sbom-syft-generate
image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
# Respect Syft configuration if the user has it in the root of their repository
# (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
workingDir: $(workspaces.source.path)/source
script: |
syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
find $(cat /workspace/container_path) -xtype l -delete
Expand Down

0 comments on commit 5fba3d7

Please sign in to comment.