scanner: fix syft versioning to be set at compile-time

Signed-off-by: Justin Chadwell <me@jedevc.com>
docker · Nov 21, 2022 · ebb5344 · ebb5344
1 parent 74b810e
commit ebb5344
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 19 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -11,9 +11,14 @@ ARG TARGETPLATFORM
 WORKDIR /src
 RUN \
   --mount=type=bind,target=. \
-  --mount=type=cache,target=/root/.cache \
-  xx-go build -ldflags '-extldflags -static' -o /usr/local/bin/syft-scanner ./cmd/syft-scanner && \
+  --mount=type=cache,target=/root/.cache <<EOF
+  set -e
+
+  PKG=github.com/docker/buildkit-syft-scanner
+  echo "-X ${PKG}/internal.SyftVersion=$(go list -mod=mod -u -m -f '{{.Version}}' 'github.com/anchore/syft')" | tee /tmp/.ldflags
+  xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags -static" -o /usr/local/bin/syft-scanner ./cmd/syft-scanner
   xx-verify --static /usr/local/bin/syft-scanner
+EOF
 
 FROM scratch
 COPY --from=build /usr/local/bin/syft-scanner /bin/syft-scanner

diff --git a/README.md b/README.md
@@ -9,4 +9,4 @@ include scan results with the output of Docker builds.
 To scan an image during build using [buildctl](https://github.com/moby/buildkit):
 
     $ buildctl build ... \
-        --output type=image,name=<image>,push=true --opt attest:sbom=generator=jedevc/buildkit-syft-scanner
+        --output type=image,name=<image>,push=true --opt attest:sbom=generator=docker/buildkit-syft-scanner
diff --git a/cmd/syft-scanner/main.go b/cmd/syft-scanner/main.go
@@ -8,7 +8,7 @@ import (
 	"github.com/anchore/go-logger/adapter/logrus"
 	"github.com/anchore/stereoscope"
 	"github.com/anchore/syft/syft"
-	"github.com/jedevc/buildkit-syft-scanner/internal"
+	"github.com/docker/buildkit-syft-scanner/internal"
 )
 
 func main() {

diff --git a/go.mod b/go.mod
@@ -1,4 +1,4 @@
-module github.com/jedevc/buildkit-syft-scanner
+module github.com/docker/buildkit-syft-scanner
 
 go 1.19
 

diff --git a/internal/target.go b/internal/target.go
@@ -3,7 +3,6 @@ package internal
 import (
 	"fmt"
 	"path/filepath"
-	"runtime/debug"
 
 	"github.com/anchore/syft/syft"
 	"github.com/anchore/syft/syft/pkg/cataloger"
@@ -38,7 +37,7 @@ func (t Target) Scan() (sbom.SBOM, error) {
 		Source: src.Metadata,
 		Descriptor: sbom.Descriptor{
 			Name:    "syft",
-			Version: syftVersion(),
+			Version: SyftVersion,
 		},
 	}
 
@@ -54,16 +53,8 @@ func (t Target) Scan() (sbom.SBOM, error) {
 	return result, nil
 }
 
-func syftVersion() string {
-	info, ok := debug.ReadBuildInfo()
-	if !ok {
-		return "unknown"
-	}
+const defaultSyftVersion = "[not provided]"
 
-	for _, dep := range info.Deps {
-		if dep.Path == "github.com/anchore/syft" {
-			return dep.Version
-		}
-	}
-	return "unknown"
-}
+var (
+	SyftVersion = defaultSyftVersion
+)