diff --git a/docs/cmd/wolfictl_advisory_copy.md b/docs/cmd/wolfictl_advisory_copy.md new file mode 100644 index 000000000..2ec766a11 --- /dev/null +++ b/docs/cmd/wolfictl_advisory_copy.md @@ -0,0 +1,41 @@ +## wolfictl advisory copy + +Copy a package's advisories into a new package. + +***Aliases**: cp* + +### Usage + +``` +wolfictl advisory copy +``` + +### Synopsis + +Copy a package's advisories into a new package. + +This command will copy most advisories for the given package into a new package. + +The command will copy the latest event for each advisory, and will update the timestamp +of the event to now. The command will not copy events of type "detection", "fixed", +"analysis_not_planned", or "fix_not_planned". + + +### Options + +``` + -d, --dir string directory containing the advisories to copy (default ".") + -h, --help help for copy +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl advisory](wolfictl_advisory.md) - Commands for consuming and maintaining security advisory data + diff --git a/docs/cmd/wolfictl_advisory_guide.md b/docs/cmd/wolfictl_advisory_guide.md new file mode 100644 index 000000000..b1619bd10 --- /dev/null +++ b/docs/cmd/wolfictl_advisory_guide.md @@ -0,0 +1,33 @@ +## wolfictl advisory guide + +Launch an interactive guide to help you enter advisory data for a package + +### Usage + +``` +wolfictl advisory guide +``` + +### Synopsis + +Launch an interactive guide to help you enter advisory data for a package + +### Options + +``` + -h, --help help for guide + -s, --speedy Skip explanations and unnecessary time delays +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl advisory](wolfictl_advisory.md) - Commands for consuming and maintaining security advisory data +* [wolfictl advisory guide graph](wolfictl_advisory_guide_graph.md) - Generate a DOT graph of the advisory guide interview questions + diff --git a/docs/cmd/wolfictl_advisory_guide_graph.md b/docs/cmd/wolfictl_advisory_guide_graph.md new file mode 100644 index 000000000..b36e5f76e --- /dev/null +++ b/docs/cmd/wolfictl_advisory_guide_graph.md @@ -0,0 +1,31 @@ +## wolfictl advisory guide graph + +Generate a DOT graph of the advisory guide interview questions + +### Usage + +``` +wolfictl advisory guide graph +``` + +### Synopsis + +Generate a DOT graph of the advisory guide interview questions + +### Options + +``` + -h, --help help for graph +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl advisory guide](wolfictl_advisory_guide.md) - Launch an interactive guide to help you enter advisory data for a package + diff --git a/docs/cmd/wolfictl_advisory_osv.md b/docs/cmd/wolfictl_advisory_osv.md new file mode 100644 index 000000000..27236fa37 --- /dev/null +++ b/docs/cmd/wolfictl_advisory_osv.md @@ -0,0 +1,52 @@ +## wolfictl advisory osv + +Build an OSV dataset from Chainguard advisory data + +### Usage + +``` +wolfictl advisory osv +``` + +### Synopsis + +Build an OSV dataset from Chainguard advisory data. + +This command reads advisory data from one or more directories containing Chainguard +advisory documents, and writes an OSV dataset to a local directory. + +Specify directories for advisory repositories using the --advisories-repo-dir flag. + +IMPORTANT: For now, the command assumes that the first listed advisory repository is the +"Wolfi" repository, and that the rest are not. In the future, we might unify all advisory +repositories into a single collection of all advisory documents, and remove the need for +multiple advisory repositories. + +The user must also specify directories for all package repositories associated with the +given advisory data. This is used to make sure the OSV data includes all relevant packages +and subpackages. + +The output directory for the OSV dataset is specified using the --output flag. This +directory must already exist before running the command. + + +### Options + +``` + -a, --advisories-repo-dir strings path to the directory(ies) containing Chainguard advisory data + -h, --help help for osv + -o, --output string path to a local directory in which the OSV dataset will be written + -p, --packages-repo-dir strings path to the directory(ies) containing Chainguard package data +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl advisory](wolfictl_advisory.md) - Commands for consuming and maintaining security advisory data + diff --git a/docs/cmd/wolfictl_advisory_validate_fixes.md b/docs/cmd/wolfictl_advisory_validate_fixes.md new file mode 100644 index 000000000..5553c1d96 --- /dev/null +++ b/docs/cmd/wolfictl_advisory_validate_fixes.md @@ -0,0 +1,35 @@ +## wolfictl advisory validate fixes + +Validate fixes recorded in advisories + +### Usage + +``` +wolfictl advisory validate fixes +``` + +### Synopsis + +Validate fixes recorded in advisories + +### Options + +``` + -a, --advisories-repo-dir string directory containing the advisories repository + -b, --built-packages-dir string directory containing built packages + --distro string distro to use during vulnerability matching (default "wolfi") + -h, --help help for fixes + -v, --verbose count logging verbosity (v = info, vv = debug, default is none) +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl advisory validate](wolfictl_advisory_validate.md) - Validate the state of advisory data + diff --git a/docs/cmd/wolfictl_apk_cp.md b/docs/cmd/wolfictl_apk_cp.md new file mode 100644 index 000000000..60bb502ee --- /dev/null +++ b/docs/cmd/wolfictl_apk_cp.md @@ -0,0 +1,37 @@ +## wolfictl apk cp + + + +***Aliases**: copy* + +### Usage + +``` +wolfictl apk cp +``` + +### Synopsis + + + +### Options + +``` + --gcs string copy objects from a GCS bucket + -h, --help help for cp + -i, --index string APKINDEX.tar.gz URL (default "https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz") + --latest copy only the latest version of each package (default true) + -o, --out-dir string directory to copy packages to (default "./packages") +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl apk](wolfictl_apk.md) - + diff --git a/docs/cmd/wolfictl_apk_ls.md b/docs/cmd/wolfictl_apk_ls.md new file mode 100644 index 000000000..c6340ef9e --- /dev/null +++ b/docs/cmd/wolfictl_apk_ls.md @@ -0,0 +1,40 @@ +## wolfictl apk ls + + + +### Usage + +``` +wolfictl apk ls +``` + +### Synopsis + + + +### Examples + +wolfictl apk ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz + +### Options + +``` + --full print the full url or path + -h, --help help for ls + --json print each package as json + --latest print only the latest version of each package + --newer-than duration print only packages newer than this duration ago + -P, --package string print only packages with the given name +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl apk](wolfictl_apk.md) - + diff --git a/docs/cmd/wolfictl_bundle.md b/docs/cmd/wolfictl_bundle.md new file mode 100644 index 000000000..80221620a --- /dev/null +++ b/docs/cmd/wolfictl_bundle.md @@ -0,0 +1,49 @@ +## wolfictl bundle + + + +### Usage + +``` +wolfictl bundle +``` + +### Synopsis + + + +### Options + +``` + -a, --annotation stringToString New annotations to add (default []) + --arch strings arch of package to build (default [x86_64,aarch64]) + --bundle-base string base image used for melange build bundles + --bundle-repo string where to push the bundles + --cache-dir string directory used for cached inputs (default "./melange-cache/") + --cache-source string directory or bucket used for preloading the cache + --destination-repository string repo where packages will eventually be uploaded, used to skip existing packages (currently only supports http) + -d, --dir string directory to search for melange configs (default ".") + --dry-run print commands instead of executing them + --gcsfuse strings list of gcsfuse mounts to make available to the build environment (e.g. gs://my-bucket/subdir:/mnt/my-bucket) + --generate-index whether to generate APKINDEX.tar.gz (default true) + -h, --help help for bundle + -k, --keyring-append strings path to extra keys to include in the build environment keyring (default [https://packages.wolfi.dev/os/wolfi-signing.rsa.pub]) + --namespace string namespace to use in package URLs in SBOM (eg wolfi, alpine) (default "wolfi") + --out-dir string directory where packages will be output + --pipeline-dir string directory used to extend defined built-in pipelines + -r, --repository-append strings path to extra repositories to include in the build environment (default [https://packages.wolfi.dev/os]) + --runner string which runner to use to enable running commands, default is based on your platform. (default "docker") + --signing-key string key to use for signing +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl](wolfictl.md) - A CLI helper for developing Wolfi + diff --git a/docs/cmd/wolfictl_ruby.md b/docs/cmd/wolfictl_ruby.md new file mode 100644 index 000000000..b1d0d7ff5 --- /dev/null +++ b/docs/cmd/wolfictl_ruby.md @@ -0,0 +1,55 @@ +## wolfictl ruby + +Work with ruby packages + +### Usage + +``` +wolfictl ruby +``` + +### Synopsis + +Work with ruby packages + +The ruby subcommand is intended to work with all ruby packages inside the wolfi +repo. The main uses right now are to check if the ruby version can be upgraded, +and run Github code searches for Github repos pulled from melange yaml files. + +This command takes a path to the wolfi-dev/os repository as an argument. The +path can either be the directory itself to discover all files using ruby-* or +a specific melange yaml to work with. + +NOTE: This is currently restricted to ruby code housed on Github as that is the + majority. There are some on Gitlab and adding Gitlab API support is TODO. + + +### Examples + + +# Run a search query over all ruby-3.2 package in the current directory +wolfictl ruby code-search . --ruby-version 3.2 --search-term 'language:ruby racc' + +# Check if all ruby-3.2 packages in the current directory can be upgraded to ruby-3.3 +wolfictl ruby check-upgrade . --ruby-version 3.2 --ruby-upgrade-version 3.3 + + +### Options + +``` + -h, --help help for ruby +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl](wolfictl.md) - A CLI helper for developing Wolfi +* [wolfictl ruby check-upgrade](wolfictl_ruby_check-upgrade.md) - Check if gemspec for restricts a gem from upgrading to a specified ruby version. +* [wolfictl ruby code-search](wolfictl_ruby_code-search.md) - Run Github search queries for ruby packages. + diff --git a/docs/cmd/wolfictl_ruby_check-upgrade.md b/docs/cmd/wolfictl_ruby_check-upgrade.md new file mode 100644 index 000000000..02f3fe7fd --- /dev/null +++ b/docs/cmd/wolfictl_ruby_check-upgrade.md @@ -0,0 +1,46 @@ +## wolfictl ruby check-upgrade + +Check if gemspec for restricts a gem from upgrading to a specified ruby version. + +***Aliases**: cu* + +### Usage + +``` +wolfictl ruby check-upgrade +``` + +### Synopsis + + +NOTE: This is currently restricted to ruby code housed on Github as that is the + majority. There are some on Gitlab and adding Gitlab API support is TODO. + + +### Examples + + +# Check if all ruby-3.2 packages in the current directory can be upgraded to ruby-3.3 +wolfictl ruby check-upgrade . --ruby-version 3.2 --ruby-upgrade-version 3.3 + + +### Options + +``` + -h, --help help for check-upgrade + --no-cache do not use cached results + -u, --ruby-upgrade-version string ruby version to check for updates + -r, --ruby-version string ruby version to search for +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl ruby](wolfictl_ruby.md) - Work with ruby packages + diff --git a/docs/cmd/wolfictl_ruby_code-search.md b/docs/cmd/wolfictl_ruby_code-search.md new file mode 100644 index 000000000..b7390da24 --- /dev/null +++ b/docs/cmd/wolfictl_ruby_code-search.md @@ -0,0 +1,54 @@ +## wolfictl ruby code-search + +Run Github search queries for ruby packages. + +***Aliases**: cs,search* + +### Usage + +``` +wolfictl ruby code-search +``` + +### Synopsis + + +NOTE: Due to limitations of GitHub Code Search, the search terms are only matched + against the default branch rather than the tag from which the package is + built. Hopefully this gets better in the future but it could lead to false + negatives if upgrade work has been committed to the main branch but a release + has not been cut yet. + + https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-code + +NOTE: This is currently restricted to ruby code housed on Github as that is the + majority. There are some on Gitlab and adding Gitlab API support is TODO. + + +### Examples + + +# Run a search query over all ruby-3.2 package in the current directory +wolfictl ruby code-search . --ruby-version 3.2 --search-terms 'language:ruby racc' + + +### Options + +``` + -h, --help help for code-search + --no-cache do not use cached results + -r, --ruby-version string ruby version to search for + -s, --search-terms stringArray GitHub code search term +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl ruby](wolfictl_ruby.md) - Work with ruby packages + diff --git a/docs/cmd/wolfictl_test.md b/docs/cmd/wolfictl_test.md new file mode 100644 index 000000000..152e9b2d4 --- /dev/null +++ b/docs/cmd/wolfictl_test.md @@ -0,0 +1,65 @@ +## wolfictl test + + + +### Usage + +``` +wolfictl test +``` + +### Synopsis + +Test wolfi packages. Accepts either no positional arguments (for testing everything) or a list of packages to test. + +### Examples + + + # Test everything for every x86_64 and aarch64 + wolfictl test + + # Test a few packages + wolfictl test \ + --arch aarch64 \ + hello-wolfi wget + + + # Test a single local package + wolfictl test \ + --arch aarch64 \ + -k local-melange.rsa.pub \ + -r ./packages \ + -r https://packages.wolfi.dev/os \ + -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ + hello-wolfi + + +### Options + +``` + --arch strings arch of package to build (default [x86_64,aarch64]) + --cache-dir string directory used for cached inputs (default "./melange-cache/") + --cache-source string directory or bucket used for preloading the cache + --debug enable test debug logging (default true) + -d, --dir string directory to search for melange configs (default ".") + -h, --help help for test + -j, --jobs int number of jobs to run concurrently (default is GOMAXPROCS) + -k, --keyring-append strings path to extra keys to include in the build environment keyring (default [https://packages.wolfi.dev/os/wolfi-signing.rsa.pub]) + --pipeline-dir string directory used to extend defined built-in pipelines (default "./pipelines") + -r, --repository-append strings path to extra repositories to include in the build environment (default [https://packages.wolfi.dev/os]) + --runner string which runner to use to enable running commands, default is based on your platform. (default "docker") + --test-package-append strings extra packages to install for each of the test environments (default [wolfi-base]) + --trace string where to write trace output +``` + +### Options inherited from parent commands + +``` + --log-level string log level (e.g. debug, info, warn, error) (default "info") + --log-policy strings log policy (e.g. builtin:stderr, /tmp/log/foo) (default [builtin:stderr]) +``` + +### SEE ALSO + +* [wolfictl](wolfictl.md) - A CLI helper for developing Wolfi + diff --git a/docs/man/man1/wolfictl-advisory-copy.1 b/docs/man/man1/wolfictl-advisory-copy.1 new file mode 100644 index 000000000..ed802d80b --- /dev/null +++ b/docs/man/man1/wolfictl-advisory-copy.1 @@ -0,0 +1,51 @@ +.TH "WOLFICTL\-ADVISORY\-COPY" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-advisory\-copy \- Copy a package's advisories into a new package. + + +.SH SYNOPSIS +.PP +\fBwolfictl advisory copy \fP + + +.SH DESCRIPTION +.PP +Copy a package's advisories into a new package. + +.PP +This command will copy most advisories for the given package into a new package. + +.PP +The command will copy the latest event for each advisory, and will update the timestamp +of the event to now. The command will not copy events of type "detection", "fixed", +"analysis\_not\_planned", or "fix\_not\_planned". + + +.SH OPTIONS +.PP +\fB\-d\fP, \fB\-\-dir\fP="." + directory containing the advisories to copy + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for copy + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl\-advisory(1)\fP diff --git a/docs/man/man1/wolfictl-advisory-guide-graph.1 b/docs/man/man1/wolfictl-advisory-guide-graph.1 new file mode 100644 index 000000000..98d246155 --- /dev/null +++ b/docs/man/man1/wolfictl-advisory-guide-graph.1 @@ -0,0 +1,39 @@ +.TH "WOLFICTL\-ADVISORY\-GUIDE\-GRAPH" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-advisory\-guide\-graph \- Generate a DOT graph of the advisory guide interview questions + + +.SH SYNOPSIS +.PP +\fBwolfictl advisory guide graph\fP + + +.SH DESCRIPTION +.PP +Generate a DOT graph of the advisory guide interview questions + + +.SH OPTIONS +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for graph + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl\-advisory\-guide(1)\fP diff --git a/docs/man/man1/wolfictl-advisory-guide.1 b/docs/man/man1/wolfictl-advisory-guide.1 new file mode 100644 index 000000000..8459e964b --- /dev/null +++ b/docs/man/man1/wolfictl-advisory-guide.1 @@ -0,0 +1,43 @@ +.TH "WOLFICTL\-ADVISORY\-GUIDE" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-advisory\-guide \- Launch an interactive guide to help you enter advisory data for a package + + +.SH SYNOPSIS +.PP +\fBwolfictl advisory guide\fP + + +.SH DESCRIPTION +.PP +Launch an interactive guide to help you enter advisory data for a package + + +.SH OPTIONS +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for guide + +.PP +\fB\-s\fP, \fB\-\-speedy\fP[=false] + Skip explanations and unnecessary time delays + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl\-advisory(1)\fP, \fBwolfictl\-advisory\-guide\-graph(1)\fP diff --git a/docs/man/man1/wolfictl-advisory-osv.1 b/docs/man/man1/wolfictl-advisory-osv.1 new file mode 100644 index 000000000..7ebffd74d --- /dev/null +++ b/docs/man/man1/wolfictl-advisory-osv.1 @@ -0,0 +1,73 @@ +.TH "WOLFICTL\-ADVISORY\-OSV" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-advisory\-osv \- Build an OSV dataset from Chainguard advisory data + + +.SH SYNOPSIS +.PP +\fBwolfictl advisory osv\fP + + +.SH DESCRIPTION +.PP +Build an OSV dataset from Chainguard advisory data. + +.PP +This command reads advisory data from one or more directories containing Chainguard +advisory documents, and writes an OSV dataset to a local directory. + +.PP +Specify directories for advisory repositories using the \-\-advisories\-repo\-dir flag. + +.PP +IMPORTANT: For now, the command assumes that the first listed advisory repository is the +"Wolfi" repository, and that the rest are not. In the future, we might unify all advisory +repositories into a single collection of all advisory documents, and remove the need for +multiple advisory repositories. + +.PP +The user must also specify directories for all package repositories associated with the +given advisory data. This is used to make sure the OSV data includes all relevant packages +and subpackages. + +.PP +The output directory for the OSV dataset is specified using the \-\-output flag. This +directory must already exist before running the command. + + +.SH OPTIONS +.PP +\fB\-a\fP, \fB\-\-advisories\-repo\-dir\fP=[] + path to the directory(ies) containing Chainguard advisory data + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for osv + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + path to a local directory in which the OSV dataset will be written + +.PP +\fB\-p\fP, \fB\-\-packages\-repo\-dir\fP=[] + path to the directory(ies) containing Chainguard package data + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl\-advisory(1)\fP diff --git a/docs/man/man1/wolfictl-advisory-validate-fixes.1 b/docs/man/man1/wolfictl-advisory-validate-fixes.1 new file mode 100644 index 000000000..e00dc1e85 --- /dev/null +++ b/docs/man/man1/wolfictl-advisory-validate-fixes.1 @@ -0,0 +1,55 @@ +.TH "WOLFICTL\-ADVISORY\-VALIDATE\-FIXES" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-advisory\-validate\-fixes \- Validate fixes recorded in advisories + + +.SH SYNOPSIS +.PP +\fBwolfictl advisory validate fixes\fP + + +.SH DESCRIPTION +.PP +Validate fixes recorded in advisories + + +.SH OPTIONS +.PP +\fB\-a\fP, \fB\-\-advisories\-repo\-dir\fP="" + directory containing the advisories repository + +.PP +\fB\-b\fP, \fB\-\-built\-packages\-dir\fP="" + directory containing built packages + +.PP +\fB\-\-distro\fP="wolfi" + distro to use during vulnerability matching + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for fixes + +.PP +\fB\-v\fP, \fB\-\-verbose\fP[=0] + logging verbosity (v = info, vv = debug, default is none) + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl\-advisory\-validate(1)\fP diff --git a/docs/man/man1/wolfictl-apk-cp.1 b/docs/man/man1/wolfictl-apk-cp.1 new file mode 100644 index 000000000..b82c69f84 --- /dev/null +++ b/docs/man/man1/wolfictl-apk-cp.1 @@ -0,0 +1,53 @@ +.TH "WOLFICTL\-APK\-CP" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-apk\-cp \- + + +.SH SYNOPSIS +.PP +\fBwolfictl apk cp\fP + + +.SH DESCRIPTION + +.SH OPTIONS +.PP +\fB\-\-gcs\fP="" + copy objects from a GCS bucket + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for cp + +.PP +\fB\-i\fP, \fB\-\-index\fP=" +\[la]https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz"\[ra] + APKINDEX.tar.gz URL + +.PP +\fB\-\-latest\fP[=true] + copy only the latest version of each package + +.PP +\fB\-o\fP, \fB\-\-out\-dir\fP="./packages" + directory to copy packages to + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl\-apk(1)\fP diff --git a/docs/man/man1/wolfictl-apk-ls.1 b/docs/man/man1/wolfictl-apk-ls.1 new file mode 100644 index 000000000..dc0b09da5 --- /dev/null +++ b/docs/man/man1/wolfictl-apk-ls.1 @@ -0,0 +1,62 @@ +.TH "WOLFICTL\-APK\-LS" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-apk\-ls \- + + +.SH SYNOPSIS +.PP +\fBwolfictl apk ls\fP + + +.SH DESCRIPTION + +.SH OPTIONS +.PP +\fB\-\-full\fP[=false] + print the full url or path + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for ls + +.PP +\fB\-\-json\fP[=false] + print each package as json + +.PP +\fB\-\-latest\fP[=false] + print only the latest version of each package + +.PP +\fB\-\-newer\-than\fP=0s + print only packages newer than this duration ago + +.PP +\fB\-P\fP, \fB\-\-package\fP="" + print only packages with the given name + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH EXAMPLE +.PP +wolfictl apk ls +\[la]https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz\[ra] + + +.SH SEE ALSO +.PP +\fBwolfictl\-apk(1)\fP diff --git a/docs/man/man1/wolfictl-bundle.1 b/docs/man/man1/wolfictl-bundle.1 new file mode 100644 index 000000000..a0eaa2fd7 --- /dev/null +++ b/docs/man/man1/wolfictl-bundle.1 @@ -0,0 +1,110 @@ +.TH "WOLFICTL\-BUNDLE" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-bundle \- + + +.SH SYNOPSIS +.PP +\fBwolfictl bundle\fP + + +.SH DESCRIPTION + +.SH OPTIONS +.PP +\fB\-a\fP, \fB\-\-annotation\fP=[] + New annotations to add + +.PP +\fB\-\-arch\fP=[x86\_64,aarch64] + arch of package to build + +.PP +\fB\-\-bundle\-base\fP="" + base image used for melange build bundles + +.PP +\fB\-\-bundle\-repo\fP="" + where to push the bundles + +.PP +\fB\-\-cache\-dir\fP="./melange\-cache/" + directory used for cached inputs + +.PP +\fB\-\-cache\-source\fP="" + directory or bucket used for preloading the cache + +.PP +\fB\-\-destination\-repository\fP="" + repo where packages will eventually be uploaded, used to skip existing packages (currently only supports http) + +.PP +\fB\-d\fP, \fB\-\-dir\fP="." + directory to search for melange configs + +.PP +\fB\-\-dry\-run\fP[=false] + print commands instead of executing them + +.PP +\fB\-\-gcsfuse\fP=[] + list of gcsfuse mounts to make available to the build environment (e.g. gs://my\-bucket/subdir:/mnt/my\-bucket) + +.PP +\fB\-\-generate\-index\fP[=true] + whether to generate APKINDEX.tar.gz + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for bundle + +.PP +\fB\-k\fP, \fB\-\-keyring\-append\fP=[ +\[la]https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\[ra]] + path to extra keys to include in the build environment keyring + +.PP +\fB\-\-namespace\fP="wolfi" + namespace to use in package URLs in SBOM (eg wolfi, alpine) + +.PP +\fB\-\-out\-dir\fP="" + directory where packages will be output + +.PP +\fB\-\-pipeline\-dir\fP="" + directory used to extend defined built\-in pipelines + +.PP +\fB\-r\fP, \fB\-\-repository\-append\fP=[ +\[la]https://packages.wolfi.dev/os\[ra]] + path to extra repositories to include in the build environment + +.PP +\fB\-\-runner\fP="docker" + which runner to use to enable running commands, default is based on your platform. + +.PP +\fB\-\-signing\-key\fP="" + key to use for signing + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH SEE ALSO +.PP +\fBwolfictl(1)\fP diff --git a/docs/man/man1/wolfictl-ruby-check-upgrade.1 b/docs/man/man1/wolfictl-ruby-check-upgrade.1 new file mode 100644 index 000000000..cff0797bb --- /dev/null +++ b/docs/man/man1/wolfictl-ruby-check-upgrade.1 @@ -0,0 +1,59 @@ +.TH "WOLFICTL\-RUBY\-CHECK-UPGRADE" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-ruby\-check\-upgrade \- Check if gemspec for restricts a gem from upgrading to a specified ruby version. + + +.SH SYNOPSIS +.PP +\fBwolfictl ruby check\-upgrade\fP + + +.SH DESCRIPTION +.PP +NOTE: This is currently restricted to ruby code housed on Github as that is the + majority. There are some on Gitlab and adding Gitlab API support is TODO. + + +.SH OPTIONS +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for check\-upgrade + +.PP +\fB\-\-no\-cache\fP[=false] + do not use cached results + +.PP +\fB\-u\fP, \fB\-\-ruby\-upgrade\-version\fP="" + ruby version to check for updates + +.PP +\fB\-r\fP, \fB\-\-ruby\-version\fP="" + ruby version to search for + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH EXAMPLE + +.SH Check if all ruby\-3.2 packages in the current directory can be upgraded to ruby\-3.3 +.PP +wolfictl ruby check\-upgrade . \-\-ruby\-version 3.2 \-\-ruby\-upgrade\-version 3.3 + + +.SH SEE ALSO +.PP +\fBwolfictl\-ruby(1)\fP diff --git a/docs/man/man1/wolfictl-ruby-code-search.1 b/docs/man/man1/wolfictl-ruby-code-search.1 new file mode 100644 index 000000000..8726379a2 --- /dev/null +++ b/docs/man/man1/wolfictl-ruby-code-search.1 @@ -0,0 +1,75 @@ +.TH "WOLFICTL\-RUBY\-CODE-SEARCH" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-ruby\-code\-search \- Run Github search queries for ruby packages. + + +.SH SYNOPSIS +.PP +\fBwolfictl ruby code\-search\fP + + +.SH DESCRIPTION +.PP +NOTE: Due to limitations of GitHub Code Search, the search terms are only matched + against the default branch rather than the tag from which the package is + built. Hopefully this gets better in the future but it could lead to false + negatives if upgrade work has been committed to the main branch but a release + has not been cut yet. + +.PP +.RS + +.nf + https://docs.github.com/en/rest/search/search?apiVersion=2022\-11\-28#search\-code + +.fi +.RE + +.PP +NOTE: This is currently restricted to ruby code housed on Github as that is the + majority. There are some on Gitlab and adding Gitlab API support is TODO. + + +.SH OPTIONS +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for code\-search + +.PP +\fB\-\-no\-cache\fP[=false] + do not use cached results + +.PP +\fB\-r\fP, \fB\-\-ruby\-version\fP="" + ruby version to search for + +.PP +\fB\-s\fP, \fB\-\-search\-terms\fP=[] + GitHub code search term + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH EXAMPLE + +.SH Run a search query over all ruby\-3.2 package in the current directory +.PP +wolfictl ruby code\-search . \-\-ruby\-version 3.2 \-\-search\-terms 'language:ruby racc' + + +.SH SEE ALSO +.PP +\fBwolfictl\-ruby(1)\fP diff --git a/docs/man/man1/wolfictl-ruby.1 b/docs/man/man1/wolfictl-ruby.1 new file mode 100644 index 000000000..b8ce61fae --- /dev/null +++ b/docs/man/man1/wolfictl-ruby.1 @@ -0,0 +1,65 @@ +.TH "WOLFICTL\-RUBY" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-ruby \- Work with ruby packages + + +.SH SYNOPSIS +.PP +\fBwolfictl ruby\fP + + +.SH DESCRIPTION +.PP +Work with ruby packages + +.PP +The ruby subcommand is intended to work with all ruby packages inside the wolfi +repo. The main uses right now are to check if the ruby version can be upgraded, +and run Github code searches for Github repos pulled from melange yaml files. + +.PP +This command takes a path to the wolfi\-dev/os repository as an argument. The +path can either be the directory itself to discover all files using ruby\-* or +a specific melange yaml to work with. + +.PP +NOTE: This is currently restricted to ruby code housed on Github as that is the + majority. There are some on Gitlab and adding Gitlab API support is TODO. + + +.SH OPTIONS +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for ruby + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH EXAMPLE + +.SH Run a search query over all ruby\-3.2 package in the current directory +.PP +wolfictl ruby code\-search . \-\-ruby\-version 3.2 \-\-search\-term 'language:ruby racc' + + +.SH Check if all ruby\-3.2 packages in the current directory can be upgraded to ruby\-3.3 +.PP +wolfictl ruby check\-upgrade . \-\-ruby\-version 3.2 \-\-ruby\-upgrade\-version 3.3 + + +.SH SEE ALSO +.PP +\fBwolfictl(1)\fP, \fBwolfictl\-ruby\-check\-upgrade(1)\fP, \fBwolfictl\-ruby\-code\-search(1)\fP diff --git a/docs/man/man1/wolfictl-test.1 b/docs/man/man1/wolfictl-test.1 new file mode 100644 index 000000000..ef6971fc4 --- /dev/null +++ b/docs/man/man1/wolfictl-test.1 @@ -0,0 +1,116 @@ +.TH "WOLFICTL\-TEST" "1" "" "Auto generated by spf13/cobra" "" +.nh +.ad l + + +.SH NAME +.PP +wolfictl\-test \- + + +.SH SYNOPSIS +.PP +\fBwolfictl test\fP + + +.SH DESCRIPTION +.PP +Test wolfi packages. Accepts either no positional arguments (for testing everything) or a list of packages to test. + + +.SH OPTIONS +.PP +\fB\-\-arch\fP=[x86\_64,aarch64] + arch of package to build + +.PP +\fB\-\-cache\-dir\fP="./melange\-cache/" + directory used for cached inputs + +.PP +\fB\-\-cache\-source\fP="" + directory or bucket used for preloading the cache + +.PP +\fB\-\-debug\fP[=true] + enable test debug logging + +.PP +\fB\-d\fP, \fB\-\-dir\fP="." + directory to search for melange configs + +.PP +\fB\-h\fP, \fB\-\-help\fP[=false] + help for test + +.PP +\fB\-j\fP, \fB\-\-jobs\fP=0 + number of jobs to run concurrently (default is GOMAXPROCS) + +.PP +\fB\-k\fP, \fB\-\-keyring\-append\fP=[ +\[la]https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\[ra]] + path to extra keys to include in the build environment keyring + +.PP +\fB\-\-pipeline\-dir\fP="./pipelines" + directory used to extend defined built\-in pipelines + +.PP +\fB\-r\fP, \fB\-\-repository\-append\fP=[ +\[la]https://packages.wolfi.dev/os\[ra]] + path to extra repositories to include in the build environment + +.PP +\fB\-\-runner\fP="docker" + which runner to use to enable running commands, default is based on your platform. + +.PP +\fB\-\-test\-package\-append\fP=[wolfi\-base] + extra packages to install for each of the test environments + +.PP +\fB\-\-trace\fP="" + where to write trace output + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-log\-level\fP="info" + log level (e.g. debug, info, warn, error) + +.PP +\fB\-\-log\-policy\fP=[builtin:stderr] + log policy (e.g. builtin:stderr, /tmp/log/foo) + + +.SH EXAMPLE +.PP +.RS + +.nf +# Test everything for every x86\_64 and aarch64 +wolfictl test + +# Test a few packages +wolfictl test \\ + \-\-arch aarch64 \\ + hello\-wolfi wget + + +# Test a single local package +wolfictl test \\ + \-\-arch aarch64 \\ + \-k local\-melange.rsa.pub \\ + \-r ./packages \\ + \-r https://packages.wolfi.dev/os \\ + \-k https://packages.wolfi.dev/os/wolfi\-signing.rsa.pub \\ + hello\-wolfi + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBwolfictl(1)\fP diff --git a/pkg/cli/scan.go b/pkg/cli/scan.go index c17f2c0fd..956560bde 100644 --- a/pkg/cli/scan.go +++ b/pkg/cli/scan.go @@ -25,7 +25,6 @@ import ( "github.com/wolfi-dev/wolfictl/pkg/configs" v2 "github.com/wolfi-dev/wolfictl/pkg/configs/advisory/v2" rwos "github.com/wolfi-dev/wolfictl/pkg/configs/rwfs/os" - "github.com/wolfi-dev/wolfictl/pkg/index" "github.com/wolfi-dev/wolfictl/pkg/sbom" "github.com/wolfi-dev/wolfictl/pkg/scan" "github.com/wolfi-dev/wolfictl/pkg/versions" @@ -357,6 +356,7 @@ type scanParams struct { disableSBOMCache bool triageWithGoVulnCheck bool remoteScanning bool + remoteRepository string useCPEMatching bool verbosity int } @@ -374,6 +374,7 @@ func (p *scanParams) addFlagsTo(cmd *cobra.Command) { cmd.Flags().BoolVar(&p.triageWithGoVulnCheck, "govulncheck", false, "EXPERIMENTAL: triage vulnerabilities in Go binaries using govulncheck") _ = cmd.Flags().MarkHidden("govulncheck") //nolint:errcheck cmd.Flags().BoolVarP(&p.remoteScanning, "remote", "r", false, "treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of") + cmd.Flags().StringVar(&p.remoteRepository, "repository", "https://packages.wolfi.dev/os", "URL of the APK package repository") cmd.Flags().BoolVar(&p.useCPEMatching, "use-cpes", false, "turn on all CPE matching in Grype") addVerboseFlag(&p.verbosity, cmd) } @@ -403,7 +404,7 @@ func (p *scanParams) resolveInputsToScan(ctx context.Context, args []string) (in } for _, arg := range args { - targetPaths, cleanup, err := resolveInputForRemoteTarget(ctx, arg) + targetPaths, cleanup, err := resolveInputForRemoteTarget(ctx, arg, p.remoteRepository) if err != nil { return nil, nil, fmt.Errorf("failed to resolve input %q for remote scanning: %w", arg, err) } @@ -606,6 +607,18 @@ func resolveInputFileFromArg(inputFilePath string) (*os.File, error) { } } +// getAPKIndexURL returns the URL of the APKINDEX.tar.gz file for the given +// repository and architecture. If the repository URL already points to an +// APKINDEX.tar.gz file, it will be returned as-is. User input may or may not +// have included the architecture or the APKINDEX.tar.gz suffix, so construct +// the full URL to provide better UX. +func getAPKIndexURL(repositoryURL, arch string) string { + if strings.HasSuffix(repositoryURL, "/x86_64/APKINDEX.tar.gz") || strings.HasSuffix(repositoryURL, "/aarch64/APKINDEX.tar.gz") { + return repositoryURL + } + return fmt.Sprintf("%s/%s/APKINDEX.tar.gz", repositoryURL, arch) +} + // resolveInputForRemoteTarget takes the given input string, which is expected // to be the name of a Wolfi package (or subpackage), and it queries the Wolfi // APK repository to find the latest version of the package for each @@ -615,13 +628,14 @@ func resolveInputFileFromArg(inputFilePath string) (*os.File, error) { // For example, given the input value "calico", this function will find the // latest version of the package (e.g. "calico-3.26.3-r3.apk") and download it // for each architecture. -func resolveInputForRemoteTarget(ctx context.Context, input string) (downloadedAPKFilePaths []string, cleanup func() error, err error) { +func resolveInputForRemoteTarget(ctx context.Context, input, repository string) (downloadedAPKFilePaths []string, cleanup func() error, err error) { logger := clog.FromContext(ctx) archesFound := 0 for _, arch := range []string{"x86_64", "aarch64"} { - const apkRepositoryURL = "https://packages.wolfi.dev/os" - apkindex, err := index.Index(arch, apkRepositoryURL) + // Since index.Index function doesn't respect the `$HTTP_AUTH`, use + // fetchAPKIndex function instead. + apkindex, _, err := fetchAPKIndex(ctx, getAPKIndexURL(repository, arch)) if err != nil { return nil, nil, fmt.Errorf("getting APKINDEX: %w", err) } @@ -651,7 +665,7 @@ func resolveInputForRemoteTarget(ctx context.Context, input string) (downloadedA break } } - downloadURL := fmt.Sprintf("%s/%s/%s", apkRepositoryURL, arch, latestPkg.Filename()) + downloadURL := fmt.Sprintf("%s/%s/%s", repository, arch, latestPkg.Filename()) apkTempFileName := fmt.Sprintf("%s-%s-%s-*.apk", arch, input, latestVersion) tmpFile, err := os.CreateTemp("", apkTempFileName) @@ -665,6 +679,7 @@ func resolveInputForRemoteTarget(ctx context.Context, input string) (downloadedA return nil, nil, fmt.Errorf("creating request for %q: %w", downloadURL, err) } + addAuth(req) logger.Debug("downloading APK", "url", downloadURL) resp, err := http.DefaultClient.Do(req) if err != nil {