build: use the same alpine base image in all dockerfiles

Signed-off-by: nscuro <nscuro@protonmail.com>
CycloneDX · Jun 28, 2022 · 966e6fb · 966e6fb
1 parent 1c8f56f
commit 966e6fb
Show file tree

Hide file tree

Showing 15 changed files with 114 additions and 111 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,9 @@
+/.github/
+/bin/
+/dist/
+*.md
+*.yml
+Dockerfile*
+CODEOWNERS
+LICENSE
+NOTICE
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,7 +47,7 @@ jobs:
       uses: aquasecurity/trivy-action@0.5.0
       with:
         scan-type: config
-        skip-files: Dockerfile.gitpod
+        skip-files: "Dockerfile.examples,Dockerfile.gitpod"
         severity: "MEDIUM,HIGH,CRITICAL"
         exit-code: "1"
 

diff --git a/.github/workflows/goreleaser-ci.yml b/.github/workflows/goreleaser-ci.yml
@@ -26,4 +26,4 @@ jobs:
       uses: goreleaser/goreleaser-action@v3.0.0
       with:
         version: 1.7.0
-        args: release --skip-publish --snapshot
+        args: release --skip-publish --skip-sign --snapshot
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,12 @@
-FROM golang:1.18.0-alpine3.15@sha256:bb6ae029f163091e27c15094dba9b63429e301a7a6856cf1427439efe94e95f1 as build
-ARG VERSION=latest
-WORKDIR /tmp/cyclonedx-gomod
+FROM golang:1.18.3-alpine3.16@sha256:7cc62574fcf9c5fb87ad42a9789d5539a6a085971d58ee75dd2ee146cb8a8695 AS build
+WORKDIR /usr/src/app
 RUN apk --no-cache add git make
+COPY ./go.mod ./go.sum ./
+RUN go mod download
 COPY . .
 RUN make install
 
-FROM golang:1.18.0-alpine3.15@sha256:bb6ae029f163091e27c15094dba9b63429e301a7a6856cf1427439efe94e95f1
+FROM golang:1.18.3-alpine3.16@sha256:7cc62574fcf9c5fb87ad42a9789d5539a6a085971d58ee75dd2ee146cb8a8695
 COPY --from=build /go/bin/cyclonedx-gomod /usr/local/bin/
 USER 1000
 ENTRYPOINT ["cyclonedx-gomod"]

diff --git a/Dockerfile.examples b/Dockerfile.examples
@@ -1,57 +1,50 @@
 # This Dockerfile is meant for generating example SBOMs in a way
 # that is reproducible for everyone.
-#
-# To use, simply run:
-#   make examples-image
-#   make examples
-# The resulting files will be written to ./examples/*.bom.json
-#
-# Note that this currently only works when cyclonedx-gomod was built
-# for linux/amd64. If you're on a different platform, you'll have to run
-#   GOOS=linux GOARCH=amd64 make examples-image
-# instead.
-FROM golang:1.18.0-bullseye@sha256:ada87de4d857ada7d975fd143bee1a58a9cb597639233a8adcd92bf2cbbfe7fe
-
+FROM golang:1.18.3-alpine3.16@sha256:7cc62574fcf9c5fb87ad42a9789d5539a6a085971d58ee75dd2ee146cb8a8695 AS build
+WORKDIR /usr/src/app
+RUN apk --no-cache add git make
+COPY ./go.mod ./go.sum ./
+RUN go mod download
+COPY . .
+RUN make install
+
+FROM golang:1.18.3-alpine3.16@sha256:7cc62574fcf9c5fb87ad42a9789d5539a6a085971d58ee75dd2ee146cb8a8695
 VOLUME /examples
 
-# Create non-root user
-RUN useradd -m --uid 1000 cdx
+# Install prerequisites
+RUN apk --no-cache add git icu-dev && \
+    git config --system advice.detachedHead false
 
 # Install CycloneDX CLI
-RUN apt update && \
-    apt install -y libicu-dev && \
-    wget -q -O /usr/local/bin/cyclonedx https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.22.0/cyclonedx-linux-x64 && \
-    echo "ae39404a9dc8b2e7be0a9559781ee9fe3492201d2629de139d702fd4535ffdd6 /usr/local/bin/cyclonedx" | sha256sum -c && \
+RUN if [ "$(uname -m)" == "aarch64" ]; then CLI_ARCH="arm64"; else CLI_ARCH="musl-x64"; fi && \
+    wget -q -O /usr/local/bin/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.0/cyclonedx-linux-${CLI_ARCH}" && \
     chmod +x /usr/local/bin/cyclonedx
 
-# Create generation script
-RUN echo "#!/bin/bash\n\n\
-set -x \n\
-cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1.bom.json -licenses -main cmd/minikube /home/cdx/minikube \n\
-cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1_with-packages.bom.json -licenses -packages -main cmd/minikube /home/cdx/minikube \n\
-cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1_with-files.bom.json -licenses -packages -files -main cmd/minikube /home/cdx/minikube \n\
-cyclonedx-gomod mod -json -output /examples/mod_minikube-v1.23.1.bom.json -licenses /home/cdx/minikube \n\
-cyclonedx-gomod bin -json -output /examples/bin_minikube-v1.23.1.bom.json -licenses -version v1.23.1 /home/cdx/minikube-linux-amd64 \n\
+# Install cyclonedx-gomod
+COPY --from=build /go/bin/cyclonedx-gomod /usr/local/bin/
+
+# Create example SBOM generation script.
+# The script clones a specific Minikube version and downloads a corresponding prebuilt Minikube binary.
+# It then generates SBOMs for Minikube in multiple flavors and checks their validity using the CycloneDX CLI.
+RUN echo -e "#!/bin/sh\n\n\
+set -ex\n\
+git clone --branch v1.23.1 --single-branch https://github.com/kubernetes/minikube.git /tmp/minikube \n\
+wget -q -O /tmp/minikube-linux-amd64 https://github.com/kubernetes/minikube/releases/download/v1.23.1/minikube-linux-amd64 \n\
+echo 'fc23f94e870b18c2fc015af18fe2dee00452059100e42a5483b9440da1a5fba2  /tmp/minikube-linux-amd64' | sha256sum -c \n\
+chmod +x /tmp/minikube-linux-amd64 \n\
+\n\
+cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1.bom.json -licenses -main cmd/minikube /tmp/minikube \n\
+cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1_with-packages.bom.json -licenses -packages -main cmd/minikube /tmp/minikube \n\
+cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1_with-files.bom.json -licenses -packages -files -main cmd/minikube /tmp/minikube \n\
+cyclonedx-gomod mod -json -output /examples/mod_minikube-v1.23.1.bom.json -licenses /tmp/minikube \n\
+cyclonedx-gomod bin -json -output /examples/bin_minikube-v1.23.1.bom.json -licenses -version v1.23.1 /tmp/minikube-linux-amd64 \n\
+\n\
 cyclonedx validate --input-file /examples/app_minikube-v1.23.1.bom.json --input-format json --input-version v1_4 --fail-on-errors \n\
 cyclonedx validate --input-file /examples/app_minikube-v1.23.1_with-packages.bom.json --input-format json --input-version v1_4 --fail-on-errors \n\
 cyclonedx validate --input-file /examples/app_minikube-v1.23.1_with-files.bom.json --input-format json --input-version v1_4 --fail-on-errors \n\
 cyclonedx validate --input-file /examples/mod_minikube-v1.23.1.bom.json --input-format json --input-version v1_4 --fail-on-errors \n\
-cyclonedx validate --input-file /examples/bin_minikube-v1.23.1.bom.json --input-format json --input-version v1_4 --fail-on-errors \n\
-" > /home/cdx/generate-examples.sh
-
-# Install cyclonedx-gomod
-COPY ./cyclonedx-gomod /usr/local/bin/
-
-# Change to non-root user
-USER cdx
-WORKDIR /home/cdx
-
-# Clone minikube repo and download binary
-RUN git config --global advice.detachedHead false && \
-    git clone --branch v1.23.1 --single-branch https://github.com/kubernetes/minikube.git && \
-    wget -q https://github.com/kubernetes/minikube/releases/download/v1.23.1/minikube-linux-amd64 && \
-    echo "fc23f94e870b18c2fc015af18fe2dee00452059100e42a5483b9440da1a5fba2 minikube-linux-amd64" | sha256sum -c && \
-    chmod +x minikube-linux-amd64
+cyclonedx validate --input-file /examples/bin_minikube-v1.23.1.bom.json --input-format json --input-version v1_4 --fail-on-errors \
+" > /usr/local/bin/generate-examples.sh
 
-ENTRYPOINT ["/bin/bash"]
-CMD ["/home/cdx/generate-examples.sh"]
+ENTRYPOINT ["/bin/sh"]
+CMD ["/usr/local/bin/generate-examples.sh"]
diff --git a/Dockerfile.gitpod b/Dockerfile.gitpod
@@ -3,8 +3,8 @@ FROM gitpod/workspace-go:latest
 USER root
 
 RUN \
-    wget -O "/usr/local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.22.0/cyclonedx-linux-x64 && \
-    echo "ae39404a9dc8b2e7be0a9559781ee9fe3492201d2629de139d702fd4535ffdd6 /usr/local/bin/cyclonedx" | sha256sum -c && \
+    wget -O "/usr/local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.0/cyclonedx-linux-x64 && \
+    echo "691cf7ed82ecce1f85e6d21bccd1ed2d7968e40eb6be7504b392c8b3a0943891 /usr/local/bin/cyclonedx" | sha256sum -c && \
     chmod +x "/usr/local/bin/cyclonedx"
 
 USER gitpod
diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser
@@ -1,6 +1,6 @@
 # This Dockerfile is meant for GoReleaser exclusively, see .goreleaser.yml.
 # For manual builds, please use the regular Dockerfile or simply run "make docker".
-FROM golang:1.18.0-alpine3.15@sha256:bb6ae029f163091e27c15094dba9b63429e301a7a6856cf1427439efe94e95f1
+FROM golang:1.18.3-alpine3.16@sha256:7cc62574fcf9c5fb87ad42a9789d5539a6a085971d58ee75dd2ee146cb8a8695
 COPY cyclonedx-gomod /usr/local/bin/
 USER 1000
 ENTRYPOINT ["cyclonedx-gomod"]

diff --git a/Makefile b/Makefile
@@ -1,16 +1,13 @@
-ifeq ($(VERSION),)
-	VERSION=v0.0.0-$(shell git show -s --date=format:'%Y%m%d%H%M%S' --format=%cd HEAD)-$(shell git rev-parse HEAD | head -c 12)
-endif
-
-LDFLAGS="-s -w -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version=${VERSION}"
+GOFLAGS=-trimpath
+LDFLAGS="-s -w"
 
 build:
 	mkdir -p ./bin
-	CGO_ENABLED=0 go build -v -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod ./cmd/cyclonedx-gomod
+	CGO_ENABLED=0 go build -v ${GOFLAGS} -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod ./cmd/cyclonedx-gomod
 .PHONY: build
 
 install:
-	CGO_ENABLED=0 go install -v -ldflags=${LDFLAGS} ./cmd/cyclonedx-gomod
+	CGO_ENABLED=0 go install -v ${GOFLAGS} -ldflags=${LDFLAGS} ./cmd/cyclonedx-gomod
 .PHONY: install
 
 unit-test:
@@ -22,23 +19,25 @@ test:
 .PHONY: test
 
 clean:
-	go clean ./...
+	rm -rf ./bin
+	rm -rf ./dist
+	go clean -testcache ./...
 .PHONY: clean
 
 docker:
 	docker build -t cyclonedx/cyclonedx-gomod -f Dockerfile .
 .PHONY: docker
 
 goreleaser-dryrun:
-	goreleaser release --skip-publish --snapshot
+	goreleaser release --skip-publish --skip-sign --snapshot
 .PHONY: goreleaser-dryrun
 
-examples-image: build
-	docker build -t cyclonedx-gomod-examples -f Dockerfile.examples ./bin
-.PHONY: examples-image
+build-examples-image:
+	docker build -t cyclonedx/cyclonedx-gomod:examples -f Dockerfile.examples .
+.PHONY: build-examples-image
 
-examples:
-	docker run -i --rm -v "$(shell pwd)/examples:/examples" cyclonedx-gomod-examples
+examples: build-examples-image
+	docker run -it --rm -v "$(shell pwd)/examples:/examples" cyclonedx/cyclonedx-gomod:examples
 .PHONY: examples
 
 all: clean build test

diff --git a/README.md b/README.md
@@ -205,7 +205,7 @@ The whole process of generating these examples is encapsulated in [`Dockerfile.e
 To generate them yourself, simply execute the following command:
 
 ```shell
-$ GOOS=linux GOARCH=amd64 make examples-image examples
+$ make examples
 ```
 
 ### GitHub Actions 🤖

diff --git a/examples/app_minikube-v1.23.1.bom.json b/examples/app_minikube-v1.23.1.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:b29ac4c7-4d05-4b87-bfa5-f887c60c8b41",
+  "serialNumber": "urn:uuid:6743d894-5a8d-4b3a-9b61-ff121475b5f3",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-11T15:51:18Z",
+    "timestamp": "2022-06-28T20:45:16Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20220211164550-4255da92db09",
+        "version": "v0.0.0-20220628204043-1c8f56f825f1",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "121a56cd685b03d70df1c7086e56e242"
+            "content": "f21d676e30921202afcb21b64278c9b7"
           },
           {
             "alg": "SHA-1",
-            "content": "6a3f516da7e258e73e6d712636253969cede1160"
+            "content": "b0025cf802df534c4320d233920bfaec1635ed15"
           },
           {
             "alg": "SHA-256",
-            "content": "32fda80c9882092e1b767d3b1bfbf323b5d21d09376ef86c2b7facc639af5285"
+            "content": "359849312124c48170a8ff2f5b407a518bdd63a21fba2d1e8d586ac7e7e5d7e0"
           },
           {
             "alg": "SHA-384",
-            "content": "3db4f0b63926754be34c7ea32dfc75781d6f6ce7ec7e5c2299703032ba6221115bf17fd36092a6f832c001611d2efbda"
+            "content": "d0eaf23eeaf1e651eec965a5cc9e88e365eae8f3af58cb661fc93253d214db4fc95a39b75abaa3540363c2a7e34571f5"
           },
           {
             "alg": "SHA-512",
-            "content": "746d71a12901626285f8601115d884ebbbad5abac79466c98938279f28a53ab5c53c24a7e77162fd831c67989edcd4e04f8f3c9f9bdef89d88f30fa3d4c8e2b5"
+            "content": "2f38ff200222392d8f14d532e3d74c7a949ed05fb37e431e3829533b1b6863f4dcce6639fc9e4b63d68517461b827648297ccdb6905d1623a22940b1b8bd3a6d"
           }
         ],
         "externalReferences": [
@@ -65,7 +65,7 @@
         },
         {
           "name": "cdx:gomod:build:env:GOVERSION",
-          "value": "go1.17.7"
+          "value": "go1.18.3"
         }
       ],
       "evidence": {

diff --git a/examples/app_minikube-v1.23.1_with-files.bom.json b/examples/app_minikube-v1.23.1_with-files.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:a084ed87-d5a7-4213-9e8a-1a49c2631e32",
+  "serialNumber": "urn:uuid:a62f5897-2629-4abe-888c-aa5bf0e91a6f",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-11T15:51:30Z",
+    "timestamp": "2022-06-28T20:45:28Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20220211164550-4255da92db09",
+        "version": "v0.0.0-20220628204043-1c8f56f825f1",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "121a56cd685b03d70df1c7086e56e242"
+            "content": "f21d676e30921202afcb21b64278c9b7"
           },
           {
             "alg": "SHA-1",
-            "content": "6a3f516da7e258e73e6d712636253969cede1160"
+            "content": "b0025cf802df534c4320d233920bfaec1635ed15"
           },
           {
             "alg": "SHA-256",
-            "content": "32fda80c9882092e1b767d3b1bfbf323b5d21d09376ef86c2b7facc639af5285"
+            "content": "359849312124c48170a8ff2f5b407a518bdd63a21fba2d1e8d586ac7e7e5d7e0"
           },
           {
             "alg": "SHA-384",
-            "content": "3db4f0b63926754be34c7ea32dfc75781d6f6ce7ec7e5c2299703032ba6221115bf17fd36092a6f832c001611d2efbda"
+            "content": "d0eaf23eeaf1e651eec965a5cc9e88e365eae8f3af58cb661fc93253d214db4fc95a39b75abaa3540363c2a7e34571f5"
           },
           {
             "alg": "SHA-512",
-            "content": "746d71a12901626285f8601115d884ebbbad5abac79466c98938279f28a53ab5c53c24a7e77162fd831c67989edcd4e04f8f3c9f9bdef89d88f30fa3d4c8e2b5"
+            "content": "2f38ff200222392d8f14d532e3d74c7a949ed05fb37e431e3829533b1b6863f4dcce6639fc9e4b63d68517461b827648297ccdb6905d1623a22940b1b8bd3a6d"
           }
         ],
         "externalReferences": [
@@ -65,7 +65,7 @@
         },
         {
           "name": "cdx:gomod:build:env:GOVERSION",
-          "value": "go1.17.7"
+          "value": "go1.18.3"
         }
       ],
       "components": [

diff --git a/examples/app_minikube-v1.23.1_with-packages.bom.json b/examples/app_minikube-v1.23.1_with-packages.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:221f88ea-c7b0-4113-b3f1-87705cfe812a",
+  "serialNumber": "urn:uuid:492677da-65eb-48af-9481-f3a787529b9f",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-11T15:51:24Z",
+    "timestamp": "2022-06-28T20:45:22Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20220211164550-4255da92db09",
+        "version": "v0.0.0-20220628204043-1c8f56f825f1",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "121a56cd685b03d70df1c7086e56e242"
+            "content": "f21d676e30921202afcb21b64278c9b7"
           },
           {
             "alg": "SHA-1",
-            "content": "6a3f516da7e258e73e6d712636253969cede1160"
+            "content": "b0025cf802df534c4320d233920bfaec1635ed15"
           },
           {
             "alg": "SHA-256",
-            "content": "32fda80c9882092e1b767d3b1bfbf323b5d21d09376ef86c2b7facc639af5285"
+            "content": "359849312124c48170a8ff2f5b407a518bdd63a21fba2d1e8d586ac7e7e5d7e0"
           },
           {
             "alg": "SHA-384",
-            "content": "3db4f0b63926754be34c7ea32dfc75781d6f6ce7ec7e5c2299703032ba6221115bf17fd36092a6f832c001611d2efbda"
+            "content": "d0eaf23eeaf1e651eec965a5cc9e88e365eae8f3af58cb661fc93253d214db4fc95a39b75abaa3540363c2a7e34571f5"
           },
           {
             "alg": "SHA-512",
-            "content": "746d71a12901626285f8601115d884ebbbad5abac79466c98938279f28a53ab5c53c24a7e77162fd831c67989edcd4e04f8f3c9f9bdef89d88f30fa3d4c8e2b5"
+            "content": "2f38ff200222392d8f14d532e3d74c7a949ed05fb37e431e3829533b1b6863f4dcce6639fc9e4b63d68517461b827648297ccdb6905d1623a22940b1b8bd3a6d"
           }
         ],
         "externalReferences": [
@@ -65,7 +65,7 @@
         },
         {
           "name": "cdx:gomod:build:env:GOVERSION",
-          "value": "go1.17.7"
+          "value": "go1.18.3"
         }
       ],
       "components": [