From 7b6838cdcfd53512a0c94da6f3091418aa860c18 Mon Sep 17 00:00:00 2001
From: Justin Chadwell <me@jedevc.com>
Date: Fri, 18 Nov 2022 15:50:16 +0000
Subject: [PATCH] sbom: fix inconsistencies in sbom protocol

This irons a few issues discovered in porting the default sbom scanner
to go.

Since we construct the args for the image based on the Entrypoint + Cmd,
we shouldn't error out early if no Cmd is set, but only if neither
Entrypoint or Cmd are set.

We should also respect the environment variables set in the config, and
include those, passing them to the ExecOp as well as the custom-set
variables.

We should avoid setting BUILDKIT_SCAN_SOURCE_EXTRAS if no extras have
been specified, to simplify the scanning protocol.

Signed-off-by: Justin Chadwell <me@jedevc.com>
---
 frontend/attestations/sbom/sbom.go | 37 +++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/frontend/attestations/sbom/sbom.go b/frontend/attestations/sbom/sbom.go
index 668912b40d653..c13ed2b0c4c59 100644
--- a/frontend/attestations/sbom/sbom.go
+++ b/frontend/attestations/sbom/sbom.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"path"
+	"strings"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/moby/buildkit/client/llb"
@@ -14,6 +15,11 @@ import (
 	"github.com/pkg/errors"
 )
 
+const (
+	srcDir = "/run/src/"
+	outDir = "/run/out/"
+)
+
 // Scanner is a function type for scanning the contents of a state and
 // returning a new attestation and state representing the scan results.
 //
@@ -38,25 +44,34 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
 	if err := json.Unmarshal(dt, &cfg); err != nil {
 		return nil, err
 	}
-	if len(cfg.Config.Cmd) == 0 {
+
+	var args []string
+	args = append(args, cfg.Config.Entrypoint...)
+	args = append(args, cfg.Config.Cmd...)
+	if len(args) == 0 {
 		return nil, errors.Errorf("scanner %s does not have cmd", scanner)
 	}
 
 	return func(ctx context.Context, name string, ref llb.State, extras map[string]llb.State) (result.Attestation, llb.State, error) {
-		srcDir := "/run/src/"
-		outDir := "/run/out/"
+		var env []string
+		env = append(env, cfg.Config.Env...)
+		env = append(env, "BUILDKIT_SCAN_DESTINATION="+outDir)
+		env = append(env, "BUILDKIT_SCAN_SOURCE="+path.Join(srcDir, "core"))
+		if len(extras) > 0 {
+			env = append(env, "BUILDKIT_SCAN_SOURCE_EXTRAS="+path.Join(srcDir, "extras/"))
+		}
 
-		args := []string{}
-		args = append(args, cfg.Config.Entrypoint...)
-		args = append(args, cfg.Config.Cmd...)
-		runscan := llb.Image(scanner).Run(
+		opts := []llb.RunOption{
 			llb.Dir(cfg.Config.WorkingDir),
-			llb.AddEnv("BUILDKIT_SCAN_SOURCE", path.Join(srcDir, "core")),
-			llb.AddEnv("BUILDKIT_SCAN_SOURCE_EXTRAS", path.Join(srcDir, "extras/")),
-			llb.AddEnv("BUILDKIT_SCAN_DESTINATION", outDir),
 			llb.Args(args),
-			llb.WithCustomName(fmt.Sprintf("[%s] generating sbom using %s", name, scanner)))
+			llb.WithCustomName(fmt.Sprintf("[%s] generating sbom using %s", name, scanner)),
+		}
+		for _, e := range env {
+			k, v, _ := strings.Cut(e, "=")
+			opts = append(opts, llb.AddEnv(k, v))
+		}
 
+		runscan := llb.Image(scanner).Run(opts...)
 		runscan.AddMount(path.Join(srcDir, "core"), ref, llb.Readonly)
 		for k, extra := range extras {
 			runscan.AddMount(path.Join(srcDir, "extras", k), extra, llb.Readonly)