From 6df444202934a365ee0a5579fb7f88a4e8afc3ce Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Thu, 5 Oct 2023 10:26:03 -0400 Subject: [PATCH] Added attestation for Gosu --- .gitignore | 1 + 5.7/Dockerfile.oracle | 3 ++- 8.0/Dockerfile.debian | 3 ++- 8.0/Dockerfile.oracle | 3 ++- apply-templates.sh | 7 +++++++ innovation/Dockerfile.oracle | 3 ++- template/Dockerfile.debian | 18 ++++++++++++++++-- template/Dockerfile.oracle | 18 ++++++++++++++++-- versions.json | 9 +++++++++ versions.sh | 7 ++++++- 10 files changed, 63 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index d548f66de..c8db931ea 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .jq-template.awk +.template-helper-functions.jq diff --git a/5.7/Dockerfile.oracle b/5.7/Dockerfile.oracle index 07a3a703f..f54f192cf 100644 --- a/5.7/Dockerfile.oracle +++ b/5.7/Dockerfile.oracle @@ -29,7 +29,8 @@ RUN set -eux; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ chmod +x /usr/local/bin/gosu; \ gosu --version; \ - gosu nobody true + gosu nobody true; \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"gosu-sbom","packages":[{"name":"gosu","versionInfo":"1.16","SPDXID":"SPDXRef-Package--gosu","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/gosu@1.16?os_name=oraclelinux&os_version=7-slim"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/gosu.spdx.json RUN set -eux; \ # https://github.com/docker-library/mysql/pull/871#issuecomment-1167954236 diff --git a/8.0/Dockerfile.debian b/8.0/Dockerfile.debian index ae7257bc1..6da4c2205 100644 --- a/8.0/Dockerfile.debian +++ b/8.0/Dockerfile.debian @@ -32,7 +32,8 @@ RUN set -eux; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ chmod +x /usr/local/bin/gosu; \ gosu --version; \ - gosu nobody true + gosu nobody true; \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"gosu-sbom","packages":[{"name":"gosu","versionInfo":"1.16","SPDXID":"SPDXRef-Package--gosu","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/gosu@1.16?os_name=debian&os_version=bullseye"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/gosu.spdx.json RUN mkdir /docker-entrypoint-initdb.d diff --git a/8.0/Dockerfile.oracle b/8.0/Dockerfile.oracle index 0a843c849..ece2ed0f7 100644 --- a/8.0/Dockerfile.oracle +++ b/8.0/Dockerfile.oracle @@ -29,7 +29,8 @@ RUN set -eux; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ chmod +x /usr/local/bin/gosu; \ gosu --version; \ - gosu nobody true + gosu nobody true; \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"gosu-sbom","packages":[{"name":"gosu","versionInfo":"1.16","SPDXID":"SPDXRef-Package--gosu","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/gosu@1.16?os_name=oraclelinux&os_version=8-slim"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/gosu.spdx.json RUN set -eux; \ microdnf install -y \ diff --git a/apply-templates.sh b/apply-templates.sh index ee553ff8f..e38da8ad0 100755 --- a/apply-templates.sh +++ b/apply-templates.sh @@ -13,6 +13,13 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk' fi +jqf='.template-helper-functions.jq' +if [ -n "${BASHBREW_SCRIPTS:-}" ]; then + jqf="$BASHBREW_SCRIPTS/template-helper-functions.jq" +elif [ "$BASH_SOURCE" -nt "$jqf" ]; then + wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq' +fi + if [ "$#" -eq 0 ]; then versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)" eval "set -- $versions" diff --git a/innovation/Dockerfile.oracle b/innovation/Dockerfile.oracle index f6cff6f6b..1bba80af3 100644 --- a/innovation/Dockerfile.oracle +++ b/innovation/Dockerfile.oracle @@ -29,7 +29,8 @@ RUN set -eux; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ chmod +x /usr/local/bin/gosu; \ gosu --version; \ - gosu nobody true + gosu nobody true; \ + echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"gosu-sbom","packages":[{"name":"gosu","versionInfo":"1.16","SPDXID":"SPDXRef-Package--gosu","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/gosu@1.16?os_name=oraclelinux&os_version=8-slim"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/gosu.spdx.json RUN set -eux; \ microdnf install -y \ diff --git a/template/Dockerfile.debian b/template/Dockerfile.debian index 9caae222d..b5ea921a7 100644 --- a/template/Dockerfile.debian +++ b/template/Dockerfile.debian @@ -1,3 +1,4 @@ +{{ include ".template-helper-functions" -}} FROM debian:{{ .debian.suite }}-slim # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added @@ -7,7 +8,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends gnupg && rm -rf # add gosu for easy step-down from root # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION {{ .gosu.version }} RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ @@ -26,7 +27,20 @@ RUN set -eux; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ chmod +x /usr/local/bin/gosu; \ gosu --version; \ - gosu nobody true + gosu nobody true; \ + echo {{ + { + name: "gosu", + version: .gosu.version, + params: { + os_name: "debian", + os_version: .debian.suite + }, + licenses: [ + "Apache-2.0" + ] + } | sbom | tostring | @sh + }} > /usr/local/gosu.spdx.json RUN mkdir /docker-entrypoint-initdb.d diff --git a/template/Dockerfile.oracle b/template/Dockerfile.oracle index 1027d4466..133b734ba 100644 --- a/template/Dockerfile.oracle +++ b/template/Dockerfile.oracle @@ -1,4 +1,5 @@ {{ + include ".template-helper-functions"; def dnf: if .oracle.variant | startswith("7") then "yum" @@ -21,7 +22,7 @@ RUN set -eux; \ # add gosu for easy step-down from root # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION {{ .gosu.version }} RUN set -eux; \ # TODO find a better userspace architecture detection method than querying the kernel arch="$(uname -m)"; \ @@ -38,7 +39,20 @@ RUN set -eux; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ chmod +x /usr/local/bin/gosu; \ gosu --version; \ - gosu nobody true + gosu nobody true; \ + echo {{ + { + name: "gosu", + version: .gosu.version, + params: { + os_name: "oraclelinux", + os_version: .oracle.variant + }, + licenses: [ + "Apache-2.0" + ] + } | sbom | tostring | @sh + }} > /usr/local/gosu.spdx.json RUN set -eux; \ {{ if .oracle.variant | startswith("7") then ( -}} diff --git a/versions.json b/versions.json index b5a8fad25..ff3cd3029 100644 --- a/versions.json +++ b/versions.json @@ -1,5 +1,8 @@ { "5.7": { + "gosu": { + "version": "1.16" + }, "mysql-shell": { "version": "8.0.34-1.el7" }, @@ -20,6 +23,9 @@ "suite": "bullseye", "version": "8.0.34-1debian11" }, + "gosu": { + "version": "1.16" + }, "mysql-shell": { "version": "8.0.34-1.el8" }, @@ -34,6 +40,9 @@ "version": "8.0.34" }, "innovation": { + "gosu": { + "version": "1.16" + }, "mysql-shell": { "version": "8.0.34-1.el8" }, diff --git a/versions.sh b/versions.sh index a76f2b1a7..b922f02a6 100755 --- a/versions.sh +++ b/versions.sh @@ -17,6 +17,8 @@ declare -A bashbrewArchToRpmArch=( [arm64v8]='aarch64' ) +gosuVersion='1.16' + fetch_rpm_versions() { local repo="$1"; shift local arch="$1"; shift @@ -144,7 +146,7 @@ for version in "${versions[@]}"; do echo >&2 "error: Oracle and Debian version mismatch! ('$oracleBaseVersion' vs '$baseVersion')" exit 1 fi - export baseVersion rpmVersion shellVersion oracleVariant + export baseVersion rpmVersion shellVersion oracleVariant gosuVersion doc="$(jq <<<"$doc" -c ' . += { version: env.baseVersion, @@ -155,6 +157,9 @@ for version in "${versions[@]}"; do "mysql-shell": { version: env.shellVersion, }, + "gosu": { + version: env.gosuVersion + } } ')"