From c9e6f4a69e3ed02a2e1ce1f09932b69d294be1cc Mon Sep 17 00:00:00 2001 From: Anil Keshav Date: Mon, 22 Jul 2024 15:17:35 +0200 Subject: [PATCH] (fix) syft, fixing cyclone dx version to sbom version 1.4 for syft (#4991) * fixing cyclone dx version to version 1.4 for syft * fixing unit test for kaniko * fixing integration test for cnb --- cmd/kanikoExecute_test.go | 6 +++--- integration/integration_cnb_test.go | 8 ++++---- pkg/syft/syft.go | 4 +++- pkg/syft/syft_test.go | 6 +++--- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/cmd/kanikoExecute_test.go b/cmd/kanikoExecute_test.go index 83c18fd7e2..a602bbbb93 100644 --- a/cmd/kanikoExecute_test.go +++ b/cmd/kanikoExecute_test.go @@ -360,7 +360,7 @@ func TestRunKanikoExecute(t *testing.T) { assert.Equal(t, "https://index.docker.io", commonPipelineEnvironment.container.registryURL) assert.Equal(t, "/tmp/syfttest/syft", execRunner.Calls[2].Exec) - assert.Equal(t, []string{"scan", "registry:index.docker.io/myImage:tag", "-o", "cyclonedx-xml=bom-docker-0.xml", "-q"}, execRunner.Calls[2].Params) + assert.Equal(t, []string{"scan", "registry:index.docker.io/myImage:tag", "-o", "cyclonedx-xml@1.4=bom-docker-0.xml", "-q"}, execRunner.Calls[2].Params) }) t.Run("success case - multi image build with root image", func(t *testing.T) { @@ -518,7 +518,7 @@ func TestRunKanikoExecute(t *testing.T) { found := false for _, expected := range expectedParams { if expected[0] == "scan" { - expected = append(expected, fmt.Sprintf("cyclonedx-xml=bom-docker-%d.xml", index-3), "-q") + expected = append(expected, fmt.Sprintf("cyclonedx-xml@1.4=bom-docker-%d.xml", index-3), "-q") } if strings.Join(call.Params, " ") == strings.Join(expected, " ") { found = true @@ -670,7 +670,7 @@ func TestRunKanikoExecute(t *testing.T) { found := false for _, expected := range expectedParams { if expected[0] == "scan" { - expected = append(expected, fmt.Sprintf("cyclonedx-xml=bom-docker-%d.xml", index-2), "-q") + expected = append(expected, fmt.Sprintf("cyclonedx-xml@1.4=bom-docker-%d.xml", index-2), "-q") } if strings.Join(call.Params, " ") == strings.Join(expected, " ") { found = true diff --git a/integration/integration_cnb_test.go b/integration/integration_cnb_test.go index 8db6b38d6f..6226d2ad0e 100644 --- a/integration/integration_cnb_test.go +++ b/integration/integration_cnb_test.go @@ -163,7 +163,7 @@ func TestCNBIntegrationZipPath(t *testing.T) { fmt.Sprintf("Saving %s/not-found:0.0.1", registryURL), "*** Images (sha256:", "SUCCESS", - "syft scan registry:localhost:5000/not-found:0.0.1 -o cyclonedx-xml=bom-docker-0.xml -q", + "syft scan registry:localhost:5000/not-found:0.0.1 -o cyclonedx-xml@1.4=bom-docker-0.xml -q", ) container.assertHasFiles(t, "/project/bom-docker-0.xml") container.terminate(t) @@ -309,9 +309,9 @@ func TestCNBIntegrationMultiImage(t *testing.T) { "Saving localhost:5000/go-app:v1.0.0...", "Using cached buildpack", "Saving localhost:5000/my-app2:latest...", - "syft scan registry:localhost:5000/io-buildpacks-my-app:latest -o cyclonedx-xml=bom-docker-0.xml -q", - "syft scan registry:localhost:5000/go-app:v1.0.0 -o cyclonedx-xml=bom-docker-1.xml -q", - "syft scan registry:localhost:5000/my-app2:latest -o cyclonedx-xml=bom-docker-2.xml -q", + "syft scan registry:localhost:5000/io-buildpacks-my-app:latest -o cyclonedx-xml@1.4=bom-docker-0.xml -q", + "syft scan registry:localhost:5000/go-app:v1.0.0 -o cyclonedx-xml@1.4=bom-docker-1.xml -q", + "syft scan registry:localhost:5000/my-app2:latest -o cyclonedx-xml@1.4=bom-docker-2.xml -q", ) container.assertHasFiles(t, "/project/bom-docker-0.xml") diff --git a/pkg/syft/syft.go b/pkg/syft/syft.go index 2d0f01935c..fb37f0de41 100644 --- a/pkg/syft/syft.go +++ b/pkg/syft/syft.go @@ -20,6 +20,8 @@ type SyftScanner struct { additionalArgs []string } +const cyclonedxFormatForSyft = "@1.4" + func GenerateSBOM(syftDownloadURL, dockerConfigDir string, execRunner command.ExecRunner, fileUtils piperutils.FileUtils, httpClient piperhttp.Sender, registryURL string, images []string) error { scanner, err := CreateSyftScanner(syftDownloadURL, fileUtils, httpClient) if err != nil { @@ -64,7 +66,7 @@ func (s *SyftScanner) ScanImages(dockerConfigDir string, execRunner command.Exec return errors.New("syft: image name must not be empty") } // TrimPrefix needed as syft needs containerRegistry name only - args := []string{"scan", fmt.Sprintf("registry:%s/%s", strings.TrimPrefix(registryURL, "https://"), image), "-o", fmt.Sprintf("cyclonedx-xml=bom-docker-%v.xml", index), "-q"} + args := []string{"scan", fmt.Sprintf("registry:%s/%s", strings.TrimPrefix(registryURL, "https://"), image), "-o", fmt.Sprintf("cyclonedx-xml%s=bom-docker-%v.xml", cyclonedxFormatForSyft, index), "-q"} args = append(args, s.additionalArgs...) err := execRunner.RunExecutable(s.syftFile, args...) if err != nil { diff --git a/pkg/syft/syft_test.go b/pkg/syft/syft_test.go index 93ad0e7888..f801d62552 100644 --- a/pkg/syft/syft_test.go +++ b/pkg/syft/syft_test.go @@ -44,17 +44,17 @@ func TestGenerateSBOM(t *testing.T) { assert.Len(t, execMock.Calls, 2) firstCall := execMock.Calls[0] assert.Equal(t, firstCall.Exec, "/tmp/syfttest/syft") - assert.Equal(t, firstCall.Params, []string{"scan", "registry:my-registry/image:latest", "-o", "cyclonedx-xml=bom-docker-0.xml", "-q"}) + assert.Equal(t, firstCall.Params, []string{"scan", "registry:my-registry/image:latest", "-o", "cyclonedx-xml@1.4=bom-docker-0.xml", "-q"}) secondCall := execMock.Calls[1] assert.Equal(t, secondCall.Exec, "/tmp/syfttest/syft") - assert.Equal(t, secondCall.Params, []string{"scan", "registry:my-registry/image:1.2.3", "-o", "cyclonedx-xml=bom-docker-1.xml", "-q"}) + assert.Equal(t, secondCall.Params, []string{"scan", "registry:my-registry/image:1.2.3", "-o", "cyclonedx-xml@1.4=bom-docker-1.xml", "-q"}) }) t.Run("error case: syft execution failed", func(t *testing.T) { execMock = mock.ExecMockRunner{} execMock.ShouldFailOnCommand = map[string]error{ - "/tmp/syfttest/syft scan registry:my-registry/image:latest -o cyclonedx-xml=bom-docker-0.xml -q": errors.New("failed"), + "/tmp/syfttest/syft scan registry:my-registry/image:latest -o cyclonedx-xml@1.4=bom-docker-0.xml -q": errors.New("failed"), } err := syft.GenerateSBOM("http://test-syft-gh-release.com/syft.tar.gz", "", &execMock, &fileMock, client, "https://my-registry", []string{"image:latest"})