diff --git a/.github/scripts/apple-signing/.gitignore b/.github/scripts/apple-signing/.gitignore deleted file mode 100644 index 301ab6fe6..000000000 --- a/.github/scripts/apple-signing/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -dev-pki -log -signing-identity.txt diff --git a/.github/scripts/apple-signing/cleanup.sh b/.github/scripts/apple-signing/cleanup.sh deleted file mode 100755 index 80b1beba4..000000000 --- a/.github/scripts/apple-signing/cleanup.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -set -eu - -# grab utilities -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -. "$SCRIPT_DIR"/utils.sh - -# cleanup any dev certs left behind -. "$SCRIPT_DIR"/setup-import-cert.sh # defines KEYCHAIN_NAME and KEYCHAIN_PATH -. "$SCRIPT_DIR"/setup-dev.sh -cleanup_dev_signing diff --git a/.github/scripts/apple-signing/notarize.sh b/.github/scripts/apple-signing/notarize.sh deleted file mode 100755 index 0df1d96f0..000000000 --- a/.github/scripts/apple-signing/notarize.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env bash - -set +xu -if [ -z "$AC_USERNAME" ]; then - exit_with_error "AC_USERNAME not set" -fi - -if [ -z "$AC_PASSWORD" ]; then - exit_with_error "AC_PASSWORD not set" -fi -set -u - - -# notarize [archive-path] -# -notarize() { - binary_path=$1 - archive_path=${binary_path}-archive-for-notarization.zip - - title "archiving release binary into ${archive_path}" - - parent=$(dirname "$binary_path") - ( - cd "${parent}" && zip "${archive_path}" "$(basename ${binary_path})" - ) - - if [ ! -f "$archive_path" ]; then - exit_with_error "cannot find payload for notarization: $archive_path" - fi - - # install gon - which gon || (go install github.com/mitchellh/gon/cmd/gon@latest) - - # create config (note: json via stdin with gon is broken, can only use HCL from file) - hcl_file=$(mktemp).hcl - - cat < "$hcl_file" -notarize { - path = "$archive_path" - bundle_id = "com.anchore.toolbox.syft" -} - -apple_id { - username = "$AC_USERNAME" - password = "@env:AC_PASSWORD" -} -EOF - - gon -log-level info "$hcl_file" - - rm "${hcl_file}" "${archive_path}" -} - diff --git a/.github/scripts/apple-signing/setup-dev.sh b/.github/scripts/apple-signing/setup-dev.sh deleted file mode 100755 index bfc0fe8c7..000000000 --- a/.github/scripts/apple-signing/setup-dev.sh +++ /dev/null @@ -1,128 +0,0 @@ -#!/usr/bin/env bash -set -eu - -NAME=syft-dev -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -DIR=$SCRIPT_DIR/dev-pki -FILE_PREFIX=$DIR/$NAME -IDENTITY=${NAME}-id-415d8c69793 - -## OpenSSL material - -KEY_PASSWORD="letthedevin" -P12_PASSWORD="popeofnope" - -KEY_FILE=$FILE_PREFIX-key.pem -CSR_FILE=$FILE_PREFIX-csr.pem -CERT_FILE=$FILE_PREFIX-cert.pem -EXT_FILE=$FILE_PREFIX-ext.cnf -P12_FILE=$FILE_PREFIX.p12 - -EXT_SECTION=codesign_reqext - -# setup_signing -# -# preps the MAC_SIGNING_IDENTITY env var for use in the signing process, using ephemeral developer certificate material -# -function setup_signing() { - # check to see if this has already been done... if so, bail! - set +ue - if security find-identity -p codesigning "$KEYCHAIN_PATH" | grep $IDENTITY ; then - export MAC_SIGNING_IDENTITY=$IDENTITY - commentary "skipping creating dev certificate material (already exists)" - commentary "setting MAC_SIGNING_IDENTITY=${IDENTITY}" - return 0 - fi - set -ue - - title "setting up developer certificate material" - - mkdir -p "${DIR}" - - # configure the openssl extensions - cat << EOF > "$EXT_FILE" - [ req ] - default_bits = 2048 # RSA key size - encrypt_key = yes # Protect private key - default_md = sha256 # MD to use - utf8 = yes # Input is UTF-8 - string_mask = utf8only # Emit UTF-8 strings - prompt = yes # Prompt for DN - distinguished_name = codesign_dn # DN template - req_extensions = $EXT_SECTION # Desired extensions - - [ codesign_dn ] - commonName = $IDENTITY - commonName_max = 64 - - [ $EXT_SECTION ] - keyUsage = critical,digitalSignature - extendedKeyUsage = critical,codeSigning - subjectKeyIdentifier = hash -EOF - - title "create the private key" - openssl genrsa \ - -des3 \ - -out "$KEY_FILE" \ - -passout "pass:$KEY_PASSWORD" \ - 2048 - - title "create the csr" - openssl req \ - -new \ - -key "$KEY_FILE" \ - -out "$CSR_FILE" \ - -passin "pass:$KEY_PASSWORD" \ - -config "$EXT_FILE" \ - -subj "/CN=$IDENTITY" - - commentary "verify the csr: we should see X509 v3 extensions for codesigning in the CSR" - openssl req -in "$CSR_FILE" -noout -text | grep -A1 "X509v3" || exit_with_error "could not find x509 extensions in CSR" - - title "create the certificate" - # note: Extensions in certificates are not transferred to certificate requests and vice versa. This means that - # just because the CSR has x509 v3 extensions doesn't mean that you'll see these extensions in the cert output. - # To prove this do: - # openssl x509 -text -noout -in server.crt | grep -A10 "X509v3 extensions:" - # ... and you will see no output (if -extensions is not used). (see https://www.openssl.org/docs/man1.1.0/man1/x509.html#BUGS) - # To get the extensions, use "-extensions codesign_reqext" when creating the cert. The codesign_reqext value matches - # the section name in the ext file used in CSR / cert creation (-extfile and -config). - openssl x509 \ - -req \ - -days 10000 \ - -in "$CSR_FILE" \ - -signkey "$KEY_FILE" \ - -out "$CERT_FILE" \ - -extfile "$EXT_FILE" \ - -passin "pass:$KEY_PASSWORD" \ - -extensions $EXT_SECTION - - commentary "verify the certificate: we should see our extensions" - openssl x509 -text -noout -in "$CERT_FILE" | grep -A1 'X509v3' || exit_with_error "could not find x509 extensions in certificate" - - title "export cert and private key to .p12 file" - # note: this step may be entirely optional, however, I found it useful to follow the prod path which goes the route of using a p12 - openssl pkcs12 \ - -export \ - -out "$P12_FILE" \ - -inkey "$KEY_FILE" \ - -in "$CERT_FILE" \ - -passin "pass:$KEY_PASSWORD" \ - -passout "pass:$P12_PASSWORD" - - # delete the keychain if it already exists - if [ -f "${KEYCHAIN_PATH}" ]; then - cleanup_dev_signing - fi - - import_signing_certificate "$P12_FILE" "$P12_PASSWORD" "$IDENTITY" -} - -function cleanup_dev_signing() { - title "delete the dev keychain and all certificate material" - set -xue - security delete-keychain "$KEYCHAIN_NAME" || true - rm -f "$KEYCHAIN_PATH" || true - rm -rf "${DIR}" || true -} diff --git a/.github/scripts/apple-signing/setup-import-cert.sh b/.github/scripts/apple-signing/setup-import-cert.sh deleted file mode 100755 index 518e88b11..000000000 --- a/.github/scripts/apple-signing/setup-import-cert.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env bash -set -eu - -KEYCHAIN_NAME="syft-ephemeral-keychain" -KEYCHAIN_PATH="$HOME/Library/Keychains/${KEYCHAIN_NAME}-db" - -# import_signing_certificate -# -# imports a cert from a p12 file into a keychain used for codesigning -# -function import_signing_certificate() { - p12_file=$1 - p12_password=$2 - identity=$3 - - keychain_password="$(openssl rand -base64 100)" - - title "create the a new keychain" - - security create-keychain -p "$keychain_password" "$KEYCHAIN_NAME" - security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" - security unlock-keychain -p "$keychain_password" "$KEYCHAIN_PATH" - - if [ ! -f "$KEYCHAIN_PATH" ]; then - exit_with_error "cannot find keychain '$KEYCHAIN_PATH'" - fi - - set +e - if ! security verify-cert -k "$KEYCHAIN_PATH" -c "$p12_file" &> /dev/null; then - set -e - title "import the cert into the new keychain if it is not already trusted by the system" - - # '-t cert' is vital since it side-steps the need for user interaction with "security add-trusted-cert" (which has wider security implications) - security import "$p12_file" -P "$p12_password" -t cert -f pkcs12 -k "$KEYCHAIN_PATH" -T /usr/bin/codesign - - # note: set the partition list for this certificate's private key to include "apple-tool:" and "apple:" allows the codesign command to access this keychain item without an interactive user prompt. - security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "$keychain_password" "$KEYCHAIN_PATH" - else - set -e - commentary "...cert has already been imported onto the new keychain" - fi - - commentary "make certain there are identities that can be used for code signing" - security find-identity -p codesigning "$KEYCHAIN_PATH" | grep -C 30 "$identity" || exit_with_error "could not find identity that can be used with codesign" - - title "add the new keychain to the search path for codesign" - add_keychain "$KEYCHAIN_NAME" - - commentary "verify the new keychain can be found by the security sub-system" - security list-keychains | grep "$KEYCHAIN_NAME" || exit_with_error "could not find new keychain" - - export MAC_SIGNING_IDENTITY=$identity - commentary "setting MAC_SIGNING_IDENTITY=${identity}" - -} diff --git a/.github/scripts/apple-signing/setup-prod.sh b/.github/scripts/apple-signing/setup-prod.sh deleted file mode 100755 index 8a9c28539..000000000 --- a/.github/scripts/apple-signing/setup-prod.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env bash -set -eu - -assert_in_ci - -IDENTITY="Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)" - -set +xu -if [ -z "$APPLE_DEVELOPER_ID_CERT" ]; then - exit_with_error "APPLE_DEVELOPER_ID_CERT not set" -fi - -if [ -z "$APPLE_DEVELOPER_ID_CERT_PASS" ]; then - exit_with_error "APPLE_DEVELOPER_ID_CERT_PASS not set" -fi - -# setup_signing -# -# preps the MAC_SIGNING_IDENTITY env var for use in the signing process, using production certificate material -# -setup_signing() { - title "setting up production certificate material" - - # Write signing certificate to disk from environment variable. - p12_file="$HOME/developer_id_certificate.p12" - echo -n "$APPLE_DEVELOPER_ID_CERT" | base64 --decode > "$p12_file" - - import_signing_certificate "$p12_file" "$APPLE_DEVELOPER_ID_CERT_PASS" "$IDENTITY" - - # Make this new keychain the user's default keychain, so that codesign will be able to find this certificate when we specify it during signing. - security default-keychain -d "user" -s "${KEYCHAIN_PATH}" -} diff --git a/.github/scripts/apple-signing/setup.sh b/.github/scripts/apple-signing/setup.sh deleted file mode 100755 index 937e037b0..000000000 --- a/.github/scripts/apple-signing/setup.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash -set -eu -o pipefail - -IS_SNAPSHOT="$1" - -## grab utilities -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -. "$SCRIPT_DIR"/utils.sh -mkdir -p "$SCRIPT_DIR/log" - -main() { - # defines KEYCHAIN_NAME and KEYCHAIN_PATH - . "$SCRIPT_DIR"/setup-import-cert.sh - - case "$IS_SNAPSHOT" in - - "1" | "true" | "yes") - commentary "assuming development setup..." - . "$SCRIPT_DIR"/setup-dev.sh - ;; - - "0" | "false" | "no") - commentary "assuming production setup..." - . "$SCRIPT_DIR"/setup-prod.sh - ;; - - *) - exit_with_error "could not determine if this was a production build (isSnapshot='$IS_SNAPSHOT')" - ;; - esac - - # load up all signing material into a keychain (note: this should set the MAC_SIGNING_IDENTITY env var) - setup_signing - - # write out identity to a file - echo -n "$MAC_SIGNING_IDENTITY" > "$SCRIPT_DIR/$SIGNING_IDENTITY_FILENAME" -} - -# capture all output from a subshell to log output additionally to a file (as well as the terminal) -( ( - set +u - if [ -n "$SKIP_SIGNING" ]; then - commentary "skipping signing setup..." - else - set -u - main - fi -) 2>&1) | tee "$SCRIPT_DIR/log/setup.txt" \ No newline at end of file diff --git a/.github/scripts/apple-signing/sign.sh b/.github/scripts/apple-signing/sign.sh deleted file mode 100755 index 3838394b9..000000000 --- a/.github/scripts/apple-signing/sign.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/env bash -set -eu -o pipefail - -BINARY_PATH="$1" -IS_SNAPSHOT="$2" -TARGET_NAME="$3" - -## grab utilities -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -. "$SCRIPT_DIR"/utils.sh -mkdir -p "$SCRIPT_DIR/log" - - -# sign_binary [binary-path] [signing-identity] -# -# signs a single binary with cosign -# -sign_binary() { - exe_path=$1 - identity=$2 - - if [ -x "$exe_path" ] && file -b "$exe_path" | grep -q "Mach-O" - then - echo "signing $exe_path ..." - else - echo "skip signing $exe_path ..." - return 0 - fi - - set -x - - codesign \ - -s "$identity" \ - -f \ - --verbose=4 \ - --timestamp \ - --options runtime \ - "$exe_path" - - if [ $? -ne 0 ]; then - exit_with_error "signing failed" - fi - - codesign --verify "$exe_path" --verbose=4 - - set +x -} - - -main() { - binary_abs_path=$(realpath "$BINARY_PATH") - - if [ ! -f "$binary_abs_path" ]; then - echo "archive does not exist: $binary_abs_path" - fi - - case "$IS_SNAPSHOT" in - - "1" | "true" | "yes") - commentary "disabling notarization..." - perform_notarization=false - ;; - - "0" | "false" | "no") - commentary "enabling notarization..." - . "$SCRIPT_DIR"/notarize.sh - perform_notarization=true - ;; - - *) - exit_with_error "could not determine if this was a production build (isSnapshot='$IS_SNAPSHOT')" - ;; - esac - - # grab the signing identity from the local temp file (setup by setup.sh) - MAC_SIGNING_IDENTITY=$(cat "$SCRIPT_DIR/$SIGNING_IDENTITY_FILENAME") - - # sign all of the binaries in the archive and recreate the input archive with the signed binaries - sign_binary "$binary_abs_path" "$MAC_SIGNING_IDENTITY" - - # send all of the binaries off to apple to bless - if $perform_notarization ; then - notarize "$binary_abs_path" - else - commentary "skipping notarization..." - fi -} - -# capture all output from a subshell to log output additionally to a file (as well as the terminal) -( ( - set +u - if [ -n "$SKIP_SIGNING" ]; then - commentary "skipping signing..." - else - set -u - main - fi -) 2>&1) | tee "$SCRIPT_DIR/log/signing-$(basename $BINARY_PATH)-$TARGET_NAME.txt" \ No newline at end of file diff --git a/.github/scripts/apple-signing/utils.sh b/.github/scripts/apple-signing/utils.sh deleted file mode 100644 index 8e798df0d..000000000 --- a/.github/scripts/apple-signing/utils.sh +++ /dev/null @@ -1,78 +0,0 @@ -SIGNING_IDENTITY_FILENAME=signing-identity.txt - -## terminal goodies -PURPLE='\033[0;35m' -GREEN='\033[0;32m' -RED='\033[0;31m' -BOLD=$(tput -T linux bold) -RESET='\033[0m' - -function success() { - echo -e "\n${GREEN}${BOLD}$@${RESET}" -} - -function title() { - success "Task: $@" -} - -function commentary() { - echo -e "\n${PURPLE}# $@${RESET}" -} - -function error() { - echo -e "${RED}${BOLD}error: $@${RESET}" -} - -function exit_with_error() { - error $@ - exit 1 -} - -function exit_with_message() { - success $@ - exit 0 -} - -function realpath { - echo "$(cd $(dirname $1); pwd)/$(basename $1)"; -} - - -# this function adds all of the existing keychains plus the new one which is the same as going to Keychain Access -# and selecting "Add Keychain" to make the keychain visible under "Custom Keychains". This is done with -# "security list-keychains -s" for some reason. The downside is that this sets the search path, not appends -# to it, so you will loose existing keychains in the search path... which is truly terrible. -function add_keychain() { - keychains=$(security list-keychains -d user) - keychainNames=(); - for keychain in $keychains - do - basename=$(basename "$keychain") - keychainName=${basename::${#basename}-4} - keychainNames+=("$keychainName") - done - - echo "existing user keychains: ${keychainNames[@]}" - - security -v list-keychains -s "${keychainNames[@]}" "$1" -} - -function exit_not_ci() { - printf "WARNING! It looks like this isn't the CI environment. This script modifies the macOS Keychain setup in ways you probably wouldn't want for your own machine. It also requires an Apple Developer ID Certificate that you shouldn't have outside of the CI environment.\n\nExiting early to make sure nothing bad happens.\n" - exit 1 -} - -CI_HOME="/Users/runner" - -function assert_in_ci() { - - if [[ "${HOME}" != "${CI_HOME}" ]]; then - exit_not_ci - fi - - set +u - if [ -z "${GITHUB_ACTIONS}" ]; then - exit_not_ci - fi - set -u -} \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2b65918ce..53c616977 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,7 +14,7 @@ env: jobs: quality-gate: environment: release - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 @@ -92,8 +92,7 @@ jobs: release: needs: [quality-gate] - # due to our code signing process, it's vital that we run our release steps on macOS - runs-on: macos-latest + runs-on: ubuntu-20.04 permissions: packages: write steps: @@ -125,18 +124,28 @@ jobs: if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' run: make bootstrap + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.TOOLBOX_DOCKER_USER }} + password: ${{ secrets.TOOLBOX_DOCKER_PASS }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build & publish release artifacts run: make release env: - GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }} - AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} - # used during macOS code signing - APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} - APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} - # used during macOS notarization - AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }} - AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }} + QUILL_SIGN_P12: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} + QUILL_SIGN_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} + QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} + QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} + QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: anchore/sbom-action@v0 continue-on-error: true @@ -158,43 +167,3 @@ jobs: name: artifacts path: dist/**/* - release-docker-assets: - needs: [release] - # code signing requires we run on mac-os runners. docker does not come installed on the mac-os runner - # a previous release process installed and configured docker on the mac-os runner which lead to blocked releases - # the anchore tools team opted to break this step out to a separate process to remove this work constraint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 - with: - go-version: ${{ env.GO_VERSION }} - - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.TOOLBOX_DOCKER_USER }} - password: ${{ secrets.TOOLBOX_DOCKER_PASS }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Restore go cache - id: go-cache - uses: actions/cache@v2.1.3 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go-${{ env.GO_VERSION }}- - - - name: (cache-miss) Bootstrap all project dependencies - if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' - run: make bootstrap - - - name: Build & Publish docker images - run: make release-docker-assets diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 9361429c9..dade5522c 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -2,9 +2,9 @@ release: prerelease: auto draft: false -before: - hooks: - - ./.github/scripts/apple-signing/setup.sh {{ .IsSnapshot }} +env: + # required to support multi architecture docker builds + - DOCKER_CLI_EXPERIMENTAL=enabled builds: - id: linux-build @@ -43,10 +43,9 @@ builds: ldflags: *build-ldflags hooks: post: - # we must have signing as a build hook instead of the signs section. The signs section must register a new - # asset, where we want to replace an existing asset. A post-build hook has the advantage of not needing to - # unpackage and repackage a tar.gz with a signed binary - - ./.github/scripts/apple-signing/sign.sh "{{ .Path }}" "{{ .IsSnapshot }}" "{{ .Target }}" + - cmd: .tmp/quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv + env: + - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log - id: windows-build dir: ./cmd/syft @@ -93,3 +92,160 @@ brews: homepage: *website description: *description license: "Apache License 2.0" + +dockers: + - image_templates: + - anchore/syft:debug + - anchore/syft:{{.Tag}}-debug + - ghcr.io/anchore/syft:debug + - ghcr.io/anchore/syft:{{.Tag}}-debug + goarch: amd64 + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/amd64" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:debug-arm64v8 + - anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + goarch: arm64 + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/arm64/v8" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:debug-ppc64le + - anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + goarch: ppc64le + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:debug-s390x + - anchore/syft:{{.Tag}}-debug-s390x + - ghcr.io/anchore/syft:debug-s390x + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + goarch: s390x + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:latest + - anchore/syft:{{.Tag}} + - ghcr.io/anchore/syft:latest + - ghcr.io/anchore/syft:{{.Tag}} + goarch: amd64 + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/amd64" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + goarch: arm64 + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/arm64/v8" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + goarch: ppc64le + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-s390x + - ghcr.io/anchore/syft:{{.Tag}}-s390x + goarch: s390x + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + +docker_manifests: + - name_template: anchore/syft:latest + image_templates: + - anchore/syft:{{.Tag}} + - anchore/syft:{{.Tag}}-arm64v8 + - anchore/syft:{{.Tag}}-ppc64le + - anchore/syft:{{.Tag}}-s390x + + - name_template: anchore/syft:debug + - anchore/syft:{{.Tag}}-debug + - anchore/syft:{{.Tag}}-debug-arm64v8 + - anchore/syft:{{.Tag}}-debug-ppc64le + - anchore/syft:{{.Tag}}-debug-s390x + + - name_template: anchore/syft:{{.Tag}} + image_templates: + - anchore/syft:{{.Tag}} + - anchore/syft:{{.Tag}}-arm64v8 + - anchore/syft:{{.Tag}}-ppc64le + - anchore/syft:{{.Tag}}-s390x + + - name_template: ghcr.io/anchore/syft:latest + image_templates: + - ghcr.io/anchore/syft:{{.Tag}} + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-s390x + + - name_template: ghcr.io/anchore/syft:debug + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-debug + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + + - name_template: ghcr.io/anchore/syft:{{.Tag}} + image_templates: + - ghcr.io/anchore/syft:{{.Tag}} + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-s390x diff --git a/.goreleaser_docker.yaml b/.goreleaser_docker.yaml deleted file mode 100644 index 70d49a2d1..000000000 --- a/.goreleaser_docker.yaml +++ /dev/null @@ -1,193 +0,0 @@ -# Separate docker configuration to isolate docker dependency away from -# mac-os runner on github actions. -# See: -# https://github.com/anchore/syft/issues/577 -# https://github.com/anchore/syft/issues/519 -# https://github.com/anchore/syft/issues/576 -release: - disable: true - -env: - # required to support multi architecture docker builds - - DOCKER_CLI_EXPERIMENTAL=enabled - -builds: - - id: linux-build - dir: ./cmd/syft - binary: syft - goos: - - linux - goarch: - - amd64 - - arm64 - - ppc64le - - s390x - # set the modified timestamp on the output binary to the git timestamp to ensure a reproducible build - mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}' - env: &build-env - - CGO_ENABLED=0 - ldflags: &build-ldflags | - -w - -s - -extldflags '-static' - -X github.com/anchore/syft/internal/version.version={{.Version}} - -X github.com/anchore/syft/internal/version.gitCommit={{.Commit}} - -X github.com/anchore/syft/internal/version.buildDate={{.Date}} - -X github.com/anchore/syft/internal/version.gitDescription={{.Summary}} - -dockers: - - image_templates: - - anchore/syft:debug - - anchore/syft:{{.Tag}}-debug - - ghcr.io/anchore/syft:debug - - ghcr.io/anchore/syft:{{.Tag}}-debug - goarch: amd64 - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/amd64" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:debug-arm64v8 - - anchore/syft:{{.Tag}}-debug-arm64v8 - - ghcr.io/anchore/syft:debug-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 - goarch: arm64 - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/arm64/v8" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:debug-ppc64le - - anchore/syft:{{.Tag}}-debug-ppc64le - - ghcr.io/anchore/syft:debug-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le - goarch: ppc64le - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/ppc64le" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:debug-s390x - - anchore/syft:{{.Tag}}-debug-s390x - - ghcr.io/anchore/syft:debug-s390x - - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x - goarch: s390x - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/s390x" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:latest - - anchore/syft:{{.Tag}} - - ghcr.io/anchore/syft:latest - - ghcr.io/anchore/syft:{{.Tag}} - goarch: amd64 - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/amd64" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:{{.Tag}}-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - goarch: arm64 - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/arm64/v8" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:{{.Tag}}-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-ppc64le - goarch: ppc64le - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/ppc64le" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:{{.Tag}}-s390x - - ghcr.io/anchore/syft:{{.Tag}}-s390x - goarch: s390x - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/s390x" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - -docker_manifests: - - name_template: anchore/syft:latest - image_templates: - - anchore/syft:{{.Tag}} - - anchore/syft:{{.Tag}}-arm64v8 - - anchore/syft:{{.Tag}}-ppc64le - - anchore/syft:{{.Tag}}-s390x - - - name_template: anchore/syft:debug - - anchore/syft:{{.Tag}}-debug - - anchore/syft:{{.Tag}}-debug-arm64v8 - - anchore/syft:{{.Tag}}-debug-ppc64le - - anchore/syft:{{.Tag}}-debug-s390x - - - name_template: anchore/syft:{{.Tag}} - image_templates: - - anchore/syft:{{.Tag}} - - anchore/syft:{{.Tag}}-arm64v8 - - anchore/syft:{{.Tag}}-ppc64le - - anchore/syft:{{.Tag}}-s390x - - - name_template: ghcr.io/anchore/syft:latest - image_templates: - - ghcr.io/anchore/syft:{{.Tag}} - - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-s390x - - - name_template: ghcr.io/anchore/syft:debug - image_templates: - - ghcr.io/anchore/syft:{{.Tag}}-debug - - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x - - - name_template: ghcr.io/anchore/syft:{{.Tag}} - image_templates: - - ghcr.io/anchore/syft:{{.Tag}} - - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-s390x diff --git a/Makefile b/Makefile index d0df50a92..6579e15d0 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,8 @@ LINTCMD = $(TEMPDIR)/golangci-lint run --tests=false --timeout=5m --config .gola GOIMPORTS_CMD = $(TEMPDIR)/gosimports -local github.com/anchore RELEASE_CMD=$(TEMPDIR)/goreleaser release --rm-dist SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot + +# tool versions GOLANGCILINT_VERSION = v1.50.1 GOSIMPORTS_VERSION = v0.3.4 BOUNCER_VERSION = v0.4.0 @@ -14,6 +16,7 @@ CHRONICLE_VERSION = v0.4.2 GORELEASER_VERSION = v1.12.3 YAJSV_VERSION = v1.4.1 COSIGN_VERSION = v1.13.1 +QUILL_VERSION = v0.2.0 # formatting variables BOLD := $(shell tput -T linux bold) @@ -114,6 +117,7 @@ $(TEMPDIR): .PHONY: bootstrap-tools bootstrap-tools: $(TEMPDIR) + curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b $(TEMPDIR)/ $(QUILL_VERSION) GO111MODULE=off GOBIN=$(realpath $(TEMPDIR)) go get -u golang.org/x/perf/cmd/benchstat curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ $(GOLANGCILINT_VERSION) curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ $(BOUNCER_VERSION) @@ -374,19 +378,6 @@ release: clean-dist CHANGELOG.md # upload the version file that supports the application version update check (excluding pre-releases) .github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION)" -.PHONY: release-docker-assets -release-docker-assets: - $(call title,Publishing docker release assets) - - # create a config with the dist dir overridden - echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml - cat .goreleaser_docker.yaml >> $(TEMPDIR)/goreleaser.yaml - - bash -c "\ - $(RELEASE_CMD) \ - --config $(TEMPDIR)/goreleaser.yaml \ - --parallelism 1" - .PHONY: clean clean: clean-dist clean-snapshot clean-test-image-cache ## Remove previous builds, result reports, and test cache $(call safe_rm_rf_children,$(RESULTSDIR)) diff --git a/syft/pkg/package.go b/syft/pkg/package.go index 2f0981646..876b789b9 100644 --- a/syft/pkg/package.go +++ b/syft/pkg/package.go @@ -55,6 +55,7 @@ func (p *Package) merge(other Package) error { if p.id != other.id { return fmt.Errorf("cannot merge packages with different IDs: %q vs %q", p.id, other.id) } + if p.PURL != other.PURL { log.Warnf("merging packages have with different pURLs: %q=%q vs %q=%q", p.id, p.PURL, other.id, other.PURL) }