v0.5.1

Download binaries at https://crashoverride.com/downloads

---

Fixes

• For docker build, --platform was not honored when pinning base images. (#468)
• _REPO_URLS was not extracting org.opencontainers.image.url annotation correctly. (#468)

---

Commits since the previous tag: v0.5.0...v0.5.1

v0.5.0

Download binaries at https://crashoverride.com/downloads

---

Breaking Changes

• Changes to docker image related fields.

  Removed keys:

  • _IMAGE_DIGEST - there are cases when the image digest is mutated. For example docker pull && docker push drops all manifest annotations resulting in a change to the digest. It is recommended to use _REPO_DIGESTS instead as it will include all digests per repository.
  • _IMAGE_LIST_DIGEST - it is possible to create manifests outside the build context which results in multiple list manifests for the same image. The new _REPO_LIST_DIGESTS key provides a list of all digests per repository.

  Changed keys:

  • _REPO_DIGESTS previously (and incorrectly) would return the first registry and the image digest. This key now provides a list of image digests by registry and image name.

    Before:

    {
      // old format
      "_REPO_DIGESTS": {
        "224111541501.dkr.ecr.us-east-1.amazonaws.com/co/chalketl/scripts": "249ce02d7f5fe0398fc87c2fb6c225ef78912f038f4be4fe9c35686082fe3cb0"
      }
    }

    Now:

    {
      // new format
      "_REPO_DIGESTS": {
        "registry-1.docker.io": {
          "library/alpine": [
            "029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85"
          ]
        }
      }
    }

  • _REPO_TAGS now includes tags which are only available in the registry. Builds without --push, even when provided with --tag, will not populate _REPO_TAGS anymore. In addition similarly to _REPO_DIGESTS, it is an object where each tag is associated with its digest (either list or image digest). For example:

    {
      "_REPO_TAGS": {
        "registry-1.docker.io": {
          "library/alpine": {
            "latest": "1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
          }
        }
      }
    }

  • DOCKER_BASE_IMAGES - sub-keys:

    • name renamed to uri; contains the full repository uri (tag and digest)
    • new registry key; the normalized registry uri (domain and optional port)
    • new name key; the normalized repo name within the registry

    Before:

    // old format
    {
      "from": "nginx:1.27.0",
      "tag": "1.27.0",
      "name": "nginx:1.27.0",
      "repo": "nginx"
    }

    Now:

    // new format
    {
      "from": "nginx:1.27.0@sha256:97b83c73d3165f2deb95e02459a6e905f092260cd991f4c4eae2f192ddb99cbe",
      "uri": "nginx:1.27.0@sha256:97b83c73d3165f2deb95e02459a6e905f092260cd991f4c4eae2f192ddb99cbe",
      "repo": "nginx",
      "registry": "registry-1.docker.io",
      "name": "library/nginx",
      "tag": "1.27.0",
      "digest": "97b83c73d3165f2deb95e02459a6e905f092260cd991f4c4eae2f192ddb99cbe"
    }

  • DOCKER_COPY_IMAGES - similar to DOCKER_BASE_IMAGES, the name key has been renamed to uri and adds the registry and name keys.

  New keys:

  • _REPO_LIST_DIGESTS - similar to _REPO_DIGESTS but enumerates any known list digests. Example:

    {
      "_REPO_LIST_DIGESTS": {
        "registry-1.docker.io": {
          "library/alpine": [
            "1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
          ]
        }
      }
    }

  • _REPO_URLS - similar to _REPO_DIGESTS but shows human-accessible URL, if known as per OCI image annotation or computed for Docker Hub images. Example:

    {
      "_REPO_URLS": {
        "registry-1.docker.io": {
          "library/alpine": "https://hub.docker.com/_/alpine"
        }
      }
    }

  NOTE: All _REPO_* keys normalize registry to its canonical domain. For example, docker hub is normalized to registry-1.docker.io. Additionally, all image names are normalized to how they are stored in the registry. Note library/ prefix for alpine in the example above.

  (#450, #453, #464)

• Git time-related fields are now reported in ISO-8601 format whereas previously it was reporting using default git format.

  Before:

  {
    "DATE_AUTHORED": "Tue Dec 10 11:46:06 2024 -0500",
    "DATE_COMMITTED": "Tue Dec 10 11:46:06 2024 -0500",
    "DATE_TAGGED": "Tue Dec 10 11:46:06 2024 -0500"
  }

  Now:

  {
    "DATE_AUTHORED": "2024-12-10T16:46:06.000Z",
    "DATE_COMMITTED": "2024-12-10T18:49:00.000Z",
    "DATE_TAGGED": "2024-12-10T18:49:00.000Z"
  }

  This also affects all host-level keys in addition to chalk-level keys:

  • DATE_AUTHORED
  • DATE_COMMITTED
  • DATE_TAGGED
  • _DATE_AUTHORED
  • _DATE_COMMITTED
  • _DATE_TAGGED

  To make parsing easier, in addition to human readable DATE_* fields, new TIMESTAMP_* fields are added which report milliseconds since Unix epoch:

  {
    "DATE_AUTHORED": "2024-12-10T16:46:06.000Z",
    "DATE_COMMITTED": "2024-12-10T18:49:00.000Z",
    "DATE_TAGGED": "2024-12-10T18:49:00.000Z",
    "TIMESTAMP_AUTHORED": 1733849166000,
    "TIMESTAMP_COMMITTED": 1733856540000
    "TIMESTAMP_TAGGED": 1733856540000
  }

  (#458)

• All datetime fields are now reported in UTC TZ whereas previously were reported in machines local TZ (#458)

Fixes

• DOCKERFILE_PATH_WITHIN_VCTL key is no longer reported when providing Dockerfile contents via stdin (#454).

• Git time-related fields report accurate timezone now. Previously wrong commit TZ was being reported as committed in git which was not correct. (#458)

• _OP_ERRORS includes all logs from chalkmark ERR_INFO, even when its collection fails (#459)

• docker buildx build without both --push or --load report their chalkmarks now. Chalkmarks however are missing any runtime keys as those cannot be inspected due to image neither being pushed to a registry or loaded into local daemon. Such an image is normally inaccessible however it is still in buildx cache hence it can be used in subsequent builds. (#459)

New Features

• Chalk pins base images in Dockerfile. For example:

  FROM alpine

  Will be pinned to:

  FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d

  This makes docker build deterministic and avoids any possible race conditions between chalk looking up metadata about base image and actual docker build. (#449)

• Docker annotations new keys:

  • DOCKER_ANNOTATIONS - all --annotations using in docker build
  • _IMAGE_ANNOTATIONS - found annotations for an image in registry

  (#452)

• Docker base image keys:

  • _OP_ARTIFACT_CONTEXT - what is the context of the artifact. For docker build its either build or base.
  • DOCKER_BASE_IMAGE_REGISTRY - just registry of the base image
  • DOCKER_BASE_IMAGE_NAME - repo name within the registry
  • DOCKER_BASE_IMAGE_ID - image id (config digest) of the base image
  • DOCKER_BASE_IMAGE_METADATA_ID - id of the base image chalkmark
  • `DOCKER_BASE_IMAGE_CHALK`` - full chalkmark of base image
  • _COLLECTED_ARTIFACTS - similar to _CHALKS but reports collected information about potentially non-chalked artifacts such as the base image. If the base image is chalked it can be correlated with the build chalkmark via METADATA_ID. Otherwise both artifacts can be linked via the digest or the image id.

  (#453, #463)

• _IMAGE_LAYERS key which collects image layer digests as it is stored in the registry. This should allow to correlate base images by matching layer combinations from other images. (#456)

• _DOCKER_USED_REGISTRIES - Configurations about all used docker registires during chalk operation. For example:

  {
    "_DOCKER_USED_REGISTIES" {
      "example.com:5044": {
        "url": "https://example.com:5044/v2/",
        "mirroring": "registry-1.docker.io",
        "source": "buildx",
        "scheme": "https",
        "http": false,
        "secure": true,
        "insecure": false,
        "auth": true,
        "www_auth": false,
        "pinned_cert_path": "/etc/buildkit/certs/example_com_5044/ca.crt",
        "pinned_cert": "-----BEGIN CERTIFICATE-----\n..."
      }
    }
  }

  (#461)

---

Commits since the previous tag: v0.4.14...v0.5.0

v0.4.14

Download binaries at https://crashoverride.com/downloads

---

Breaking Changes

• Changes in embed attestation provider configuration. Removed attestation_key_embed.location configuration. It is replaced with these configurations:

  • attestation_key_embed.filename
  • attestation_key_embed.save_path
  • attestation_key_embed.get_paths

  This allows to separate paths where chalk setup look-ups keys as well where chalk will save generated key. Also this allows to lookup keys relative to chalk binary which is better suited for CI workflows where it might not be desirable to add additional files in current working directory. (#445)

• chalk setup requires interactive shell to generate new key-material. This will avoid accidentally generating new keys in CI. (#447)

Fixes

• When running semgrep, its always added to PATH, as otherwise semgrep is not able to find pysemgrep folder. (#439)
• Docker pushing non-chalked images did not report metsys plugin keys such as _EXIT_CODE, _CHALK_RUN_TIME. (#438)
• External tools for non-file artifacts (e.g. docker image) sent duplicate keys in both report-level as well as chalk-mark level. For example SBOM key with equivalent content was duplicated twice. (#440)
• Memory leak in HTTP wrappers in nimutils. This mostly manifested in chalk exec when heartbeats were enabled as roughly each heartbeat would increase memory footprint by ~1Mb. (#443)

New Features

• _EXEC_ID key which is unique for each chalk execution for all commands while chalk process is alive. For example it will send consistent values for both exec and heartbeat reports hence allowing to tie both reports together.
• heartbeat report template. It is a minimal reporting template which is now used as the default report template for all heartbeat reports. Main purpose of heartbeat is to indicate liveliness hence such a minimal report. All other metadata should be collected as part of exec report instead.

---

Commits since the previous tag: v0.4.13...v0.4.14

v0.4.13

Download binaries at https://crashoverride.com/downloads

---

New Features

• _OP_EXIT_CODE key which reports external commands exit code such as for chalk docker build. (#417)

• _OP_CLOUD_SYS_VENDOR key for reporting sys vendor file content used to identity cloud provider. (#418)

• FAILED_KEYS and _OP_FAILED_KEYS - metadata keys which chalk could not collect metadata for. (#422) Each key contains:

  • code - short identifiable code of a known error
  • message - exact encountered error/exception message
  • description - human-readable description of the error with additional context how to potentially resolve it

• _NETWORK_PARTIAL_TRACEROUTE_IPS - collect local network subnet IPs even when running inside docker network-namespaced (not using --network=host) container (#425)

• DOCKERFILE_PATH_WITHIN_VCTL key reports the path of a Dockerfile relative to the VCS' project root. (#426)

---

Commits since the previous tag: v0.4.12...v0.4.13

v0.4.12

Download binaries at https://crashoverride.com/downloads

---

Breaking Changes

• Removing attestation_key_backup provider. It was an experimental service which is discontinued in favor of other attestation providers. (#411)

Fixes

• conffile plugin was sending some empty keys vs skipping them during reporting. Now it has matching behavior to
  other plugins which ignores empty keys. (#412)
• AWS instance is determined from board_asset_tag file when present. This allows to report _AWS_INSTANCE_ID even
  when cloud metadata endpoint is not reachable. (#413)
• Reporting AWS Lambda functions ARN for non-us-east-1 regions. Previously global STS AWS endpoint was used
  which cannot fetch STS get-caller-identity for other AWS regions. (#414)

---

Commits since the previous tag: v0.4.11...v0.4.12

v0.4.11

Download binaries at https://crashoverride.com/downloads

---

Fixes

• docker run-time host metadata collection was failing for non-build commands such as docker push. (#399)
• procfs plugin was throwing an exception while parsing /proc/net/dev to populate _OP_IPV[4/6]_INTERFACES keys.
  (#399)
• _IMAGE_DIGEST is sent for docker push when buildx is not available. Normally chalk needs to validate type of the manifest in the registry (image or list) which is currently done via buildx imagetools. When buildx is missing and the operation was docker push the pushed image can only be image manifest as only buildx supports list manifests. (#401)
• _REPO_DIGESTS was reported even when image digest was not known during buildx-enabled docker builds. (#402)
• METADATA_ID and METADATA_HASH were incorrectly computed for all docker push operations. (#403)

---

Commits since the previous tag: v0.4.10...v0.4.11

v0.4.10

Download binaries at https://crashoverride.com/downloads

---

Fixes

• Fixing ENTRYPOINT wrapping for empty-like definitions (#396):

  • ENTRYPOINT
  • ENTRYPOINT []
  • ENTRYPOINT [""]
    Now chalk correctly parses and wraps as appropriate
    depending on the use of buildkit.

Other

• Increasing cloud metadata endpoint collection timeout from 500ms to 1sec as in some cases it takes longer than 500ms to get a response. (#388)
• Not showing exec report when chalk is running in interactive shell. (#390)
• Not showing any chalk exec logs when running in interactive shell. (#394)

---

Commits since the previous tag: v0.4.9...v0.4.10

v0.4.9

Download binaries at https://crashoverride.com/downloads

---

Fixes

• When the base image is already wrapped by chalk, ENTRYPOINT was recursively wrapped. This broke image runtime as it was always exiting with a non-zero exit code. (#385)

New Features

• docker build and docker push now use the mark_default chalk template instead of minimal. As such, basic metadata about the repository are now included by default in the chalk mark (e.g. /chalk.json), such as the repository origin and commit ID. (#380)

• New chalk keys (#382):

  • DOCKER_TARGET - The name of the target being built in the Dockerfile
  • DOCKER_BASE_IMAGES - The breakdown of all base images across all sections of the Dockerfile
  • DOCKER_COPY_IMAGES - The breakdown of all external COPY --from across all sections of the Dockerfile

---

Commits since the previous tag: v0.4.8...v0.4.9

v0.4.8

Download binaries at https://crashoverride.com/downloads

---

Fixes

• A chalk report would previously omit the _OP_CLOUD_PROVIDER and _OP_CLOUD_PROVIDER_SERVICE_TYPE keys when (#362, #370):

  • No other instance metadata key (e.g. _GCP_INSTANCE_METADATA or _OP_CLOUD_PROVIDER_IP) was subscribed.
  • The instance metadata service couldn't be reached, or returned invalid data.

• _OP_ERRORS was missing any logs/errors from plugins. The key was collected by the system plugin which is executed first. The key is now populated by metsys plugin which is executed last. (#369)

---

Commits since the previous tag: v0.4.7...v0.4.8

v0.4.7

Download binaries at https://crashoverride.com/downloads

---

Fixes

• Docker build --metadata-file flag is only added when using buildx >= 0.6.0. In addition the flag is only added when using docker >= 22 as docker aliased docker build to docker buildx build which allows to use buildx flags in normal build command. (#357)

---

Commits since the previous tag: v0.4.6...v0.4.7