Merge pull request #1 from docker/go-port

Port the scanner to Go

Dockerfile

@@ -1,50 +1,26 @@
-#syntax=docker/dockerfile-upstream:master-labs
+#syntax=docker/dockerfile:1
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.1.2 AS xx
 
-FROM golang as build-base
+FROM --platform=$BUILDPLATFORM golang:alpine as build-base
 COPY --link --from=xx / /
+ENV CGO_ENABLED=0
 
 FROM build-base as build
-ARG SYFT_VERSION=b0fc955e0c406a12d8aaddcd8ececda89cbcddce
-ADD https://github.com/anchore/syft.git#${SYFT_VERSION} /syft
-WORKDIR /syft
 ARG TARGETPLATFORM
-ENV CGO_ENABLED=0
+WORKDIR /src
 RUN \
-  --mount=target=/root/.cache,type=cache \
-  xx-go build -ldflags '-extldflags -static' -o /usr/bin/syft ./cmd/syft && \
-  xx-verify --static /usr/bin/syft
-
-FROM alpine:latest
-COPY --from=build /usr/bin/syft /usr/bin/syft
+  --mount=type=bind,target=. \
+  --mount=type=cache,target=/root/.cache <<EOF
+  set -e
 
-COPY <<-"EOF" /entrypoint.sh
-	#!/bin/sh
-	set -e
-
-	env
-
-	scan () {
-		echo "Scanning $1"
-		out="$(basename $1).spdx.json"
-		syft --output spdx-json="/tmp/$out" "$1"
-		cat <<-BUNDLE > "${BUILDKIT_SCAN_DESTINATION}/$out"
-		{
-		  "_type": "https://in-toto.io/Statement/v0.1",
-		  "predicateType": "https://spdx.dev/Document",
-		  "predicate": $(cat "/tmp/$out")
-		}
-		BUNDLE
-	}
-
-	scan "$BUILDKIT_SCAN_SOURCE"
-	if [ -d "${BUILDKIT_SCAN_SOURCE_EXTRAS:?}" ]; then
-		for src in "${BUILDKIT_SCAN_SOURCE_EXTRAS}"/*; do
-			scan "$src"
-		done
-	fi
-
-	find "${BUILDKIT_SCAN_DESTINATION:?}/"
+  PKG=github.com/docker/buildkit-syft-scanner
+  echo "-X ${PKG}/internal.SyftVersion=$(go list -mod=mod -u -m -f '{{.Version}}' 'github.com/anchore/syft')" | tee /tmp/.ldflags
+  xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags -static" -o /usr/local/bin/syft-scanner ./cmd/syft-scanner
+  xx-verify --static /usr/local/bin/syft-scanner
 EOF
-CMD sh /entrypoint.sh
+
+FROM scratch
+COPY --from=build /usr/local/bin/syft-scanner /bin/syft-scanner
+ENV LOG_LEVEL="warn"
+ENTRYPOINT [ "/bin/syft-scanner" ]

README.md

@@ -1,5 +1,12 @@
 # BuildKit Syft scanner
 
-This repo is a temporary test-bed to test SBOM generation for BuildKit images.
+This repo packages the [Syft scanner](https://github.com/anchore/syft) as a
+[BuildKit SBOM generator](https://github.com/moby/buildkit/pull/2983) to
+include scan results with the output of Docker builds.
 
-This image can be used as part of the functionality described in [SBOM attestations generation](https://github.com/moby/buildkit/pull/2983).
+## Usage
+
+To scan an image during build using [buildctl](https://github.com/moby/buildkit):
+
+    $ buildctl build ... \
+        --output type=image,name=<image>,push=true --opt attest:sbom=generator=docker/buildkit-syft-scanner

cmd/syft-scanner/main.go

@@ -0,0 +1,50 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/anchore/go-logger"
+	"github.com/anchore/go-logger/adapter/logrus"
+	"github.com/anchore/stereoscope"
+	"github.com/anchore/syft/syft"
+	"github.com/docker/buildkit-syft-scanner/internal"
+)
+
+func main() {
+	if err := enableLogs(); err != nil {
+		panic(fmt.Sprintf("unable to initialize logger: %+v", err))
+	}
+
+	scanner, err := internal.NewScannerFromEnvironment()
+	if err != nil {
+		panic(err)
+	}
+	if err := scanner.Scan(); err != nil {
+		panic(err)
+	}
+}
+
+const (
+	envLogLevel = "LOG_LEVEL"
+)
+
+func enableLogs() error {
+	level, ok := os.LookupEnv(envLogLevel)
+	if !ok {
+		level = "warn"
+	}
+
+	cfg := logrus.Config{
+		EnableConsole: true,
+		Level:         logger.Level(level),
+	}
+	logWrapper, err := logrus.New(cfg)
+	if err != nil {
+		return err
+	}
+	syft.SetLogger(logWrapper)
+	stereoscope.SetLogger(logWrapper.Nested("from-lib", "stereoscope"))
+
+	return nil
+}

go.mod

@@ -0,0 +1,119 @@
+module github.com/docker/buildkit-syft-scanner
+
+go 1.19
+
+require (
+	github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
+	github.com/anchore/stereoscope v0.0.0-20221006201143-d24c9d626b33
+	github.com/anchore/syft v0.60.3
+	github.com/in-toto/in-toto-golang v0.4.1-0.20221018183522-731d0640b65f
+	github.com/pkg/errors v0.9.1
+)
+
+require (
+	github.com/CycloneDX/cyclonedx-go v0.5.2 // indirect
+	github.com/DataDog/zstd v1.4.5 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/acobaugh/osrelease v0.1.0 // indirect
+	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
+	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 // indirect
+	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.0.2 // indirect
+	github.com/containerd/containerd v1.6.8 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
+	github.com/docker/cli v20.10.17+incompatible // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker v20.10.17+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/facebookincubator/nvdtools v0.1.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.0 // indirect
+	github.com/go-restruct/restruct v1.2.0-alpha // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-containerregistry v0.11.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jinzhu/copier v0.3.2 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/pgzip v1.2.5 // indirect
+	github.com/knqyf263/go-rpmdb v0.0.0-20221030135625-4082a22221ce // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mholt/archiver/v3 v3.5.1 // indirect
+	github.com/microsoft/go-rustaudit v0.0.0-20220730194248-4b17361d90a5 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/nwaples/rardecode v1.1.0 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pierrec/lz4/v4 v4.1.15 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	github.com/sassoftware/go-rpmutils v0.2.0 // indirect
+	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/spdx/tools-golang v0.2.0 // indirect
+	github.com/spf13/afero v1.8.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/sylabs/sif/v2 v2.8.1 // indirect
+	github.com/sylabs/squashfs v0.6.1 // indirect
+	github.com/therootcompany/xz v1.0.1 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
+	github.com/vbatts/go-mtree v0.5.0 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vifraa/gopom v0.1.0 // indirect
+	github.com/wagoodman/go-partybus v0.0.0-20210627031916-db1f5573bbc5 // indirect
+	github.com/wagoodman/go-progress v0.0.0-20200731105512-1020f39e6240 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
+	go.uber.org/goleak v1.2.0 // indirect
+	golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458 // indirect
+	golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 // indirect
+	golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec // indirect
+	golang.org/x/term v0.0.0-20220919170432-7a66f970e087 // indirect
+	golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
+	golang.org/x/tools v0.1.12 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e // indirect
+	google.golang.org/grpc v1.50.1 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.1.0 // indirect
+	lukechampine.com/uint128 v1.1.1 // indirect
+	modernc.org/cc/v3 v3.36.0 // indirect
+	modernc.org/ccgo/v3 v3.16.6 // indirect
+	modernc.org/libc v1.16.7 // indirect
+	modernc.org/mathutil v1.4.1 // indirect
+	modernc.org/memory v1.1.1 // indirect
+	modernc.org/opt v0.1.1 // indirect
+	modernc.org/sqlite v1.17.3 // indirect
+	modernc.org/strutil v1.1.1 // indirect
+	modernc.org/token v1.0.0 // indirect
+)