From 5fba3d72b8b41ad75911deb080218f7c00a6059f Mon Sep 17 00:00:00 2001
From: Adam Cmiel <acmiel@redhat.com>
Date: Wed, 21 Feb 2024 10:59:43 +0100
Subject: [PATCH] task/buildah: respect user config for Syft

STONEBLD-2095

Syft makes many things configurable:
https://github.com/anchore/syft#configuration

For example, users can take advantage of this to get rid of false
positives. This will be useful for the Syft build itself:
https://github.com/redhat-appstudio/rh-syft/pull/21

Currently, our SBOM generation does not respect the user configuration.
Syft reads the config from the current working directory, not from the
target directory (https://github.com/anchore/syft/issues/2465).

Set the working directory to the root of the user's repository to ensure
we respect the configuration.

---

This also allows the user to - intentionally or otherwise - exclude
packages that should be reported, causing false negatives. That seems
like an acceptable tradeoff, given that:

* For hermetic builds, the SBOM should still report everything that got
  in from outside, regardless of Syft configuration.
* We should assume some level of co-operation from the user, we don't
  have to design accurate SBOMs for users that actively sabotage the
  proces

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
---
 task/buildah-remote/0.1/buildah-remote.yaml | 1 +
 task/buildah/0.1/buildah.yaml               | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
index dcec2d1fcd..6819b25c1e 100644
--- a/task/buildah-remote/0.1/buildah-remote.yaml
+++ b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -351,6 +351,7 @@ spec:
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
+    workingDir: $(workspaces.source.path)/source
   - computeResources: {}
     image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
     name: analyse-dependencies-java-sbom
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
index f34c42cd3b..a489c286dd 100644
--- a/task/buildah/0.1/buildah.yaml
+++ b/task/buildah/0.1/buildah.yaml
@@ -258,6 +258,9 @@ spec:
 
   - name: sbom-syft-generate
     image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
+    # Respect Syft configuration if the user has it in the root of their repository
+    # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
+    workingDir: $(workspaces.source.path)/source
     script: |
       syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
       find $(cat /workspace/container_path) -xtype l -delete