sbom: fix inconsistencies in sbom protocol

This irons a few issues discovered in porting the default sbom scanner to go. Since we construct the args for the image based on the Entrypoint + Cmd, we shouldn't error out early if no Cmd is set, but only if neither Entrypoint or Cmd are set. We should also respect the environment variables set in the config, and include those, passing them to the ExecOp as well as the custom-set variables. We should avoid setting BUILDKIT_SCAN_SOURCE_EXTRAS if no extras have been specified, to simplify the scanning protocol. Signed-off-by: Justin Chadwell <me@jedevc.com>
moby · Nov 21, 2022 · 7b6838c · 7b6838c
1 parent 41c989c
commit 7b6838c
Showing 1 changed file with 26 additions and 11 deletions.
diff --git a/frontend/attestations/sbom/sbom.go b/frontend/attestations/sbom/sbom.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"path"
+	"strings"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/moby/buildkit/client/llb"
@@ -14,6 +15,11 @@ import (
 	"github.com/pkg/errors"
 )
 
+const (
+	srcDir = "/run/src/"
+	outDir = "/run/out/"
+)
+
 // Scanner is a function type for scanning the contents of a state and
 // returning a new attestation and state representing the scan results.
 //
@@ -38,25 +44,34 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
 	if err := json.Unmarshal(dt, &cfg); err != nil {
 		return nil, err
 	}
-	if len(cfg.Config.Cmd) == 0 {
+
+	var args []string
+	args = append(args, cfg.Config.Entrypoint...)
+	args = append(args, cfg.Config.Cmd...)
+	if len(args) == 0 {
 		return nil, errors.Errorf("scanner %s does not have cmd", scanner)
 	}
 
 	return func(ctx context.Context, name string, ref llb.State, extras map[string]llb.State) (result.Attestation, llb.State, error) {
-		srcDir := "/run/src/"
-		outDir := "/run/out/"
+		var env []string
+		env = append(env, cfg.Config.Env...)
+		env = append(env, "BUILDKIT_SCAN_DESTINATION="+outDir)
+		env = append(env, "BUILDKIT_SCAN_SOURCE="+path.Join(srcDir, "core"))
+		if len(extras) > 0 {
+			env = append(env, "BUILDKIT_SCAN_SOURCE_EXTRAS="+path.Join(srcDir, "extras/"))
+		}
 
-		args := []string{}
-		args = append(args, cfg.Config.Entrypoint...)
-		args = append(args, cfg.Config.Cmd...)
-		runscan := llb.Image(scanner).Run(
+		opts := []llb.RunOption{
 			llb.Dir(cfg.Config.WorkingDir),
-			llb.AddEnv("BUILDKIT_SCAN_SOURCE", path.Join(srcDir, "core")),
-			llb.AddEnv("BUILDKIT_SCAN_SOURCE_EXTRAS", path.Join(srcDir, "extras/")),
-			llb.AddEnv("BUILDKIT_SCAN_DESTINATION", outDir),
 			llb.Args(args),
-			llb.WithCustomName(fmt.Sprintf("[%s] generating sbom using %s", name, scanner)))
+			llb.WithCustomName(fmt.Sprintf("[%s] generating sbom using %s", name, scanner)),
+		}
+		for _, e := range env {
+			k, v, _ := strings.Cut(e, "=")
+			opts = append(opts, llb.AddEnv(k, v))
+		}
 
+		runscan := llb.Image(scanner).Run(opts...)
 		runscan.AddMount(path.Join(srcDir, "core"), ref, llb.Readonly)
 		for k, extra := range extras {
 			runscan.AddMount(path.Join(srcDir, "extras", k), extra, llb.Readonly)