From 32c06d386857238cbcd1d73215109b0619c162e2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 3 Nov 2023 10:24:11 +0100 Subject: [PATCH 1/2] cstrans-df-run: improve matching of comments ... so that `cspodman` can successfully scan `quay-builder-container-v3.10.0-15` Related: https://issues.redhat.com/browse/OSH-391 --- src/cstrans-df-run.cc | 2 +- tests/cstrans-df-run/0010-stdin.txt | 49 ++++++++++++++++++++++++++++ tests/cstrans-df-run/0010-stdout.txt | 40 +++++++++++++++++++++++ tests/cstrans-df-run/CMakeLists.txt | 1 + 4 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 tests/cstrans-df-run/0010-stdin.txt create mode 100644 tests/cstrans-df-run/0010-stdout.txt diff --git a/src/cstrans-df-run.cc b/src/cstrans-df-run.cc index 537f947c..eaebfd61 100644 --- a/src/cstrans-df-run.cc +++ b/src/cstrans-df-run.cc @@ -62,7 +62,7 @@ class DockerFileTransformer { const RE reLineCont_ = RE("(^.*[^\\\\])\\\\$"); /// match in-line comments - const RE reComment_ = RE("^ *#.*$"); + const RE reComment_ = RE("^\\s*#.*$"); }; /// parse serialized list in the form: "item1", "item2", ... diff --git a/tests/cstrans-df-run/0010-stdin.txt b/tests/cstrans-df-run/0010-stdin.txt new file mode 100644 index 00000000..1efabd70 --- /dev/null +++ b/tests/cstrans-df-run/0010-stdin.txt @@ -0,0 +1,49 @@ +#@follow_tag(registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:v1.19.10-202306161322.el8.g42c8e14) +FROM registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:v1.19.10-202306161322.el8.g42c8e14 AS builder + +COPY $REMOTE_SOURCE $REMOTE_SOURCE_DIR +WORKDIR $REMOTE_SOURCE_DIR/app +USER root +RUN dnf install -y --setopt=tsflags=nodocs git +RUN sed -i 's/CGO_ENABLED=0 //;s/containers_image_openpgp/& strictfipsruntime/' Makefile +RUN go mod vendor && \ + GOEXPERIMENT=strictfipsruntime make build VERSION=${CI_CONTAINER_VERSION} + +#@follow_tag(registry.redhat.io/ubi8/podman) +FROM registry.redhat.io/ubi8/podman:8.8-14.1697647490 + +LABEL com.redhat.component="quay-builder-container" +LABEL name="quay/quay-builder-rhel8" +LABEL version=${CI_CONTAINER_VERSION} +LABEL io.k8s.display-name="Red Hat Quay - Builder" +LABEL io.k8s.description="Red Hat Quay image builder" +LABEL summary="Red Hat Quay image builder" +LABEL maintainer "hgovinda@redhat.com" + +COPY --from=builder $REMOTE_SOURCE_DIR/app/bin/quay-builder /usr/local/bin/quay-builder +COPY --from=builder $REMOTE_SOURCE_DIR/app/buildpack/ssh-git.sh /ssh-git.sh +COPY --from=builder $REMOTE_SOURCE_DIR/app/entrypoint.sh /home/podman/entrypoint.sh + +RUN set -ex\ + ; dnf install -y --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False git wget \ + ; dnf -y update && dnf -y -q clean all + +# Rootless/unprivileged buildah configurations +# https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md +RUN touch /etc/subgid /etc/subuid && \ + chmod g=u /etc/subgid /etc/subuid /etc/passwd && \ + echo 'podman:100000:65536' > /etc/subuid && echo 'podman:100000:65536' > /etc/subgid && \ + # Set driver to VFS, which doesn't require host modifications compared to overlay + # Set shortname aliasing to permissive - https://www.redhat.com/sysadmin/container-image-short-names + mkdir -p /home/podman/.config/containers && \ + (echo '[storage]';echo 'driver = "vfs"') > /home/podman/.config/containers/storage.conf && \ + sed -i 's/short-name-mode="enforcing"/short-name-mode="permissive"/g' /etc/containers/registries.conf && \ + mkdir /certs /home/podman/.config/cni && chown podman:podman /certs /home/podman/.config/cni + +VOLUME ["/tmp", "/certs"] + +WORKDIR /home/podman + +USER podman + +ENTRYPOINT ["sh", "/home/podman/entrypoint.sh"] diff --git a/tests/cstrans-df-run/0010-stdout.txt b/tests/cstrans-df-run/0010-stdout.txt new file mode 100644 index 00000000..86c96f62 --- /dev/null +++ b/tests/cstrans-df-run/0010-stdout.txt @@ -0,0 +1,40 @@ +#@follow_tag(registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:v1.19.10-202306161322.el8.g42c8e14) +FROM registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:v1.19.10-202306161322.el8.g42c8e14 AS builder + +COPY $REMOTE_SOURCE $REMOTE_SOURCE_DIR +WORKDIR $REMOTE_SOURCE_DIR/app +USER root +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "dnf install -y --setopt=tsflags=nodocs git"] +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "sed -i 's/CGO_ENABLED=0 //;s/containers_image_openpgp/& strictfipsruntime/' Makefile"] +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "go mod vendor && GOEXPERIMENT=strictfipsruntime make build VERSION=${CI_CONTAINER_VERSION}"] + +#@follow_tag(registry.redhat.io/ubi8/podman) +FROM registry.redhat.io/ubi8/podman:8.8-14.1697647490 + +LABEL com.redhat.component="quay-builder-container" +LABEL name="quay/quay-builder-rhel8" +LABEL version=${CI_CONTAINER_VERSION} +LABEL io.k8s.display-name="Red Hat Quay - Builder" +LABEL io.k8s.description="Red Hat Quay image builder" +LABEL summary="Red Hat Quay image builder" +LABEL maintainer "hgovinda@redhat.com" + +COPY --from=builder $REMOTE_SOURCE_DIR/app/bin/quay-builder /usr/local/bin/quay-builder +COPY --from=builder $REMOTE_SOURCE_DIR/app/buildpack/ssh-git.sh /ssh-git.sh +COPY --from=builder $REMOTE_SOURCE_DIR/app/entrypoint.sh /home/podman/entrypoint.sh + +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "set -ex\t; dnf install -y --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False git wget \t; dnf -y update && dnf -y -q clean all"] + +# Rootless/unprivileged buildah configurations +# https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "touch /etc/subgid /etc/subuid && chmod g=u /etc/subgid /etc/subuid /etc/passwd && echo 'podman:100000:65536' > /etc/subuid && echo 'podman:100000:65536' > /etc/subgid && \tmkdir -p /home/podman/.config/containers && (echo '[storage]';echo 'driver = \"vfs\"') > /home/podman/.config/containers/storage.conf && \\ "] + sed -i 's/short-name-mode="enforcing"/short-name-mode="permissive"/g' /etc/containers/registries.conf && \ + mkdir /certs /home/podman/.config/cni && chown podman:podman /certs /home/podman/.config/cni + +VOLUME ["/tmp", "/certs"] + +WORKDIR /home/podman + +USER podman + +ENTRYPOINT ["sh", "/home/podman/entrypoint.sh"] diff --git a/tests/cstrans-df-run/CMakeLists.txt b/tests/cstrans-df-run/CMakeLists.txt index dfb228b3..4f0dbb35 100644 --- a/tests/cstrans-df-run/CMakeLists.txt +++ b/tests/cstrans-df-run/CMakeLists.txt @@ -35,3 +35,4 @@ tests_cstrans_df_run(0006) tests_cstrans_df_run(0007) tests_cstrans_df_run(0008) tests_cstrans_df_run(0009) +tests_cstrans_df_run(0010) From d059bc72ebf8adff6c1582393529f81d1c401b13 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 3 Nov 2023 10:53:06 +0100 Subject: [PATCH 2/2] cstrans-df-run: ignore space after trailing backslash Although it does not make any sense, `podman build` seems to do it as well while parsing `Dockerfile`. We need to emulate this behavior to stay compatible. Resolves: https://issues.redhat.com/browse/OSH-391 Closes: https://github.com/csutils/csdiff/pull/148 --- src/cstrans-df-run.cc | 2 +- tests/cstrans-df-run/0010-stdout.txt | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/cstrans-df-run.cc b/src/cstrans-df-run.cc index eaebfd61..b218350a 100644 --- a/src/cstrans-df-run.cc +++ b/src/cstrans-df-run.cc @@ -59,7 +59,7 @@ class DockerFileTransformer { const RE reLineRunExec_ = RE("^RUN *\\[(.*)\\] *$"); /// match ... in ... BS-NL - const RE reLineCont_ = RE("(^.*[^\\\\])\\\\$"); + const RE reLineCont_ = RE("(^.*[^\\\\])\\\\ *$"); /// match in-line comments const RE reComment_ = RE("^\\s*#.*$"); diff --git a/tests/cstrans-df-run/0010-stdout.txt b/tests/cstrans-df-run/0010-stdout.txt index 86c96f62..6bb2acb7 100644 --- a/tests/cstrans-df-run/0010-stdout.txt +++ b/tests/cstrans-df-run/0010-stdout.txt @@ -27,9 +27,7 @@ RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "- # Rootless/unprivileged buildah configurations # https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md -RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "touch /etc/subgid /etc/subuid && chmod g=u /etc/subgid /etc/subuid /etc/passwd && echo 'podman:100000:65536' > /etc/subuid && echo 'podman:100000:65536' > /etc/subgid && \tmkdir -p /home/podman/.config/containers && (echo '[storage]';echo 'driver = \"vfs\"') > /home/podman/.config/containers/storage.conf && \\ "] - sed -i 's/short-name-mode="enforcing"/short-name-mode="permissive"/g' /etc/containers/registries.conf && \ - mkdir /certs /home/podman/.config/cni && chown podman:podman /certs /home/podman/.config/cni +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "touch /etc/subgid /etc/subuid && chmod g=u /etc/subgid /etc/subuid /etc/passwd && echo 'podman:100000:65536' > /etc/subuid && echo 'podman:100000:65536' > /etc/subgid && \tmkdir -p /home/podman/.config/containers && (echo '[storage]';echo 'driver = \"vfs\"') > /home/podman/.config/containers/storage.conf && sed -i 's/short-name-mode=\"enforcing\"/short-name-mode=\"permissive\"/g' /etc/containers/registries.conf && \tmkdir /certs /home/podman/.config/cni && chown podman:podman /certs /home/podman/.config/cni"] VOLUME ["/tmp", "/certs"]