Skip to content

Commit 0198ab6

Browse files
rsundriyalrsundriyal
authored
Adds annotations, provenance and SBOM to docker images (#65)
* Adds annotations, provenance and SBOM to docker images. * Fixes docker engine builders for alpine images. This work is courtesy of Craig Andrews (@candrews). Thank you!
1 parent 7c3abb0 commit 0198ab6

18 files changed

Lines changed: 362 additions & 264 deletions

File tree

clamav-bytecode-compiler/1.4/ubuntu/Jenkinsfile

Lines changed: 27 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -69,37 +69,35 @@ node('docker') {
6969
// And maybe also the 'latest' and 'stable' images.
7070
//
7171

72-
// Build X.Y.Z-R image
73-
sh """
74-
docker build --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" .
75-
"""
76-
77-
// Publish X.Y.Z-R tag
78-
sh """
79-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}
80-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}
81-
"""
82-
83-
// Publish X.Y.Z tag
84-
sh """
85-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}
86-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}
87-
"""
88-
89-
// Publish X.Y tag
90-
sh """
91-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}
92-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}
93-
"""
94-
9572
if (params.IS_LATEST) {
96-
// Create & Publish 'stable' and 'latest' tags.
73+
// Create & Publish 'stable_base' and 'latest_base' tags.
9774
sh """
98-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable
99-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable
100-
101-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest
102-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest
75+
docker buildx build --sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
76+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
77+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
78+
--annotation org.opencontainers.image.version=${params.FULL_VERSION} \
79+
--annotation org.opencontainers.image.ref.name=${params.BRANCH} \
80+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
81+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} \
82+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION} \
83+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION} \
84+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable \
85+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest \
86+
--no-cache --push .
87+
"""
88+
}
89+
else {
90+
sh """
91+
docker buildx build --sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
92+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
93+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
94+
--annotation org.opencontainers.image.version=${params.FULL_VERSION} \
95+
--annotation org.opencontainers.image.ref.name=${params.BRANCH} \
96+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
97+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} \
98+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION} \
99+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION} \
100+
--no-cache --push .
103101
"""
104102
}
105103

clamav-bytecode-compiler/unstable/ubuntu/Jenkinsfile

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -64,13 +64,12 @@ node('docker') {
6464
//
6565

6666
sh """
67-
docker build --no-cache --tag "${params.IMAGE_NAME}:unstable" .
68-
69-
# Make a tag with the registry name in it so we can push wherever
70-
docker image tag ${params.IMAGE_NAME}:unstable ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:unstable
71-
72-
# Push the image/tag
73-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:unstable
67+
docker buildx build --sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
68+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
69+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
70+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
71+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:unstable \
72+
--no-cache --push .
7473
"""
7574

7675
// log-out

clamav/1.0/alpine/Jenkinsfile

Lines changed: 38 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -75,36 +75,36 @@ node('docker') {
7575
//
7676

7777
// Build X.Y.Z-R_base image.
78-
sh """
79-
docker build --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base" .
80-
"""
81-
82-
// Publish X.Y.Z-R_base tag
83-
sh """
84-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base
85-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base
86-
"""
87-
88-
// Publish X.Y.Z_base tag
89-
sh """
90-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base
91-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base
92-
"""
93-
94-
// Publish X.Y_base tag
95-
sh """
96-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base
97-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base
98-
"""
9978

10079
if (params.IS_LATEST) {
10180
// Create & Publish 'stable_base' and 'latest_base' tags.
10281
sh """
103-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable_base
104-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable_base
105-
106-
docker image tag ${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest_base
107-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest_base
82+
docker buildx build --sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
83+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
84+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
85+
--annotation org.opencontainers.image.version=${params.FULL_VERSION} \
86+
--annotation org.opencontainers.image.ref.name=${params.BRANCH} \
87+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
88+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base \
89+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base \
90+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base \
91+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable_base \
92+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest_base \
93+
--no-cache --push .
94+
"""
95+
}
96+
else {
97+
sh """
98+
docker buildx build --sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
99+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
100+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
101+
--annotation org.opencontainers.image.version=${params.FULL_VERSION} \
102+
--annotation org.opencontainers.image.ref.name=${params.BRANCH} \
103+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
104+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base \
105+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base \
106+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base \
107+
--no-cache --push .
108108
"""
109109
}
110110

@@ -128,25 +128,22 @@ node('docker') {
128128
"""
129129

130130
// Publish X.Y.Z tag (without the _base suffix)
131-
sh """
132-
docker image tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}
133-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}
134-
"""
135-
136-
// Publish X.Y tag (without the _base suffix)
137-
sh """
138-
docker image tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}
139-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}
140-
"""
141131

142132
if (params.IS_LATEST) {
143133
// Create & Publish 'stable' and 'latest' tags.
144134
sh """
145-
docker image tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable
146-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable
147-
148-
docker image tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest
149-
docker image push ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest
135+
docker buildx imagetools create ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} \
136+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION} \
137+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION} \
138+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable \
139+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest
140+
"""
141+
}
142+
else {
143+
sh """
144+
docker buildx imagetools create ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} \
145+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION} \
146+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}
150147
"""
151148
}
152149

clamav/1.0/alpine/scripts/update_db_image.sh

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -92,9 +92,13 @@ clamav_db_update()
9292
echo "RUN freshclam --foreground --stdout && rm /var/lib/clamav/freshclam.dat || rm /var/lib/clamav/mirrors.dat || true"
9393
} | \
9494
# Pull and Build the updated image with the tag without the _base suffix.
95-
docker image build --pull --rm --tag "${docker_registry}/${clamav_docker_namespace}/${clamav_docker_image}:${_tag%%_base}" -
96-
# Push the updated image with the tag without the _base suffix.
97-
docker image push "${docker_registry}/${clamav_docker_namespace}/${clamav_docker_image}:${_tag%%_base}"
95+
docker buildx build --sbom=true --provenance mode=max,builder-id="${BUILD_URL}" \
96+
--annotation "org.opencontainers.image.url=${REPOSITORY}" \
97+
--annotation "org.opencontainers.image.source=${REPOSITORY}" \
98+
--annotation "org.opencontainers.image.version=${FULL_VERSION}" \
99+
--annotation "org.opencontainers.image.ref.name=${BRANCH}" \
100+
--annotation "org.opencontainers.image.created=$(date -Iseconds)" \
101+
--pull --push --rm --tag "${docker_registry}/${clamav_docker_namespace}/${clamav_docker_image}:${_tag%%_base}" -
98102
done
99103
}
100104

clamav/1.0/debian/Jenkinsfile

Lines changed: 32 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -87,25 +87,40 @@ node('macos-newer') {
8787
// - stable, stable_base
8888
//
8989

90+
// Build X.Y.Z-R_base image.
91+
9092
if (params.IS_LATEST) {
9193
// Create & Publish 'stable_base' and 'latest_base' tags.
9294
sh """
93-
docker buildx build --no-cache --platform linux/amd64,linux/arm64,linux/ppc64le \
94-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base \
95-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base \
96-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base \
97-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable_base \
98-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest_base \
99-
--push .
95+
docker buildx build --no-cache --platform linux/amd64,linux/arm64,linux/ppc64le \
96+
--sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
97+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
98+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
99+
--annotation org.opencontainers.image.version=${params.FULL_VERSION} \
100+
--annotation org.opencontainers.image.ref.name=${params.BRANCH} \
101+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
102+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base \
103+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base \
104+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base \
105+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable_base \
106+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest_base \
107+
--push .
100108
"""
101-
} else {
102-
sh """
109+
}
110+
else {
111+
sh """
103112
docker buildx build --no-cache --platform linux/amd64,linux/arm64,linux/ppc64le \
104-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base \
105-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base \
106-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base \
107-
--push .
108-
"""
113+
--sbom=true --provenance mode=max,builder-id=${BUILD_URL} \
114+
--annotation org.opencontainers.image.url=${params.REPOSITORY} \
115+
--annotation org.opencontainers.image.source=${params.REPOSITORY} \
116+
--annotation org.opencontainers.image.version=${params.FULL_VERSION} \
117+
--annotation org.opencontainers.image.ref.name=${params.BRANCH} \
118+
--annotation org.opencontainers.image.created="\$(date -Iseconds)" \
119+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}_base \
120+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}_base \
121+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}_base \
122+
--push .
123+
"""
109124
}
110125

111126
// The update_db_image.sh script will query for tags during the update process.
@@ -138,14 +153,13 @@ node('macos-newer') {
138153
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:stable \
139154
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:latest
140155
"""
141-
} else {
156+
}
157+
else {
142158
sh """
143159
docker buildx imagetools create ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER} \
144160
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FULL_VERSION} \
145-
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION} \
146-
161+
--tag ${params.DOCKER_REGISTRY}/${params.NAMESPACE}/${params.IMAGE_NAME}:${params.FEATURE_VERSION}
147162
"""
148-
149163
}
150164

151165
// log-out (again)

0 commit comments

Comments
 (0)