From 8eeb831c647aab7f7bb2cd1dd2228edca0908b62 Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Wed, 1 May 2024 14:59:15 -0400 Subject: [PATCH] Remove manual SBOMs Syft is now detecting OpenSSL and Erlanf binaries and rabbitmq erlang package --- .gitignore | 1 - 3.12/alpine/Dockerfile | 8 +------ 3.12/ubuntu/Dockerfile | 8 +------ 3.13/alpine/Dockerfile | 8 +------ 3.13/ubuntu/Dockerfile | 8 +------ Dockerfile-alpine.template | 45 +------------------------------------- Dockerfile-ubuntu.template | 45 +------------------------------------- apply-templates.sh | 8 ------- 8 files changed, 6 insertions(+), 125 deletions(-) diff --git a/.gitignore b/.gitignore index c8db931e..d548f66d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ .jq-template.awk -.template-helper-functions.jq diff --git a/3.12/alpine/Dockerfile b/3.12/alpine/Dockerfile index 59ab10a3..06db2444 100644 --- a/3.12/alpine/Dockerfile +++ b/3.12/alpine/Dockerfile @@ -5,7 +5,6 @@ # # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk! - FROM alpine:3.19 as build-base RUN apk add --no-cache \ @@ -201,10 +200,7 @@ ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"25.3.2.12","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@25.3.2.12?os_name=alpine&os_version=3.19"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=alpine&os_version=3.19"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH @@ -303,9 +299,7 @@ RUN set -eux; \ su-exec rabbitmq rabbitmqctl list_ciphers; \ su-exec rabbitmq rabbitmq-plugins list; \ # no stale cookies - rm "$RABBITMQ_DATA_DIR/.erlang.cookie";\ - \ - echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"rabbitmq-sbom","packages":[{"name":"rabbitmq","versionInfo":"3.12.13","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/rabbitmq@3.12.13?os_name=alpine&os_version=3.19"}],"licenseDeclared":"MPL-2.0 AND Apache-2.0"}]}' > $RABBITMQ_HOME/rabbitmq.spdx.json; + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) RUN su-exec rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile index dbd1a51b..d82f408b 100644 --- a/3.12/ubuntu/Dockerfile +++ b/3.12/ubuntu/Dockerfile @@ -6,7 +6,6 @@ # The official Canonical Ubuntu Focal image is ideal from a security perspective, # especially for the enterprises that we, the RabbitMQ team, have to deal with - FROM ubuntu:22.04 as build-base ARG BUILDKIT_SBOM_SCAN_STAGE=true @@ -200,10 +199,7 @@ FROM ubuntu:22.04 ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"25.3.2.12","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@25.3.2.12?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH @@ -297,9 +293,7 @@ RUN set -eux; \ gosu rabbitmq rabbitmqctl list_ciphers; \ gosu rabbitmq rabbitmq-plugins list; \ # no stale cookies - rm "$RABBITMQ_DATA_DIR/.erlang.cookie"; \ - \ - echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"rabbitmq-sbom","packages":[{"name":"rabbitmq","versionInfo":"3.12.13","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/rabbitmq@3.12.13?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"MPL-2.0 AND Apache-2.0"}]}' > $RABBITMQ_HOME/rabbitmq.spdx.json + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) RUN gosu rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus diff --git a/3.13/alpine/Dockerfile b/3.13/alpine/Dockerfile index 7782aeac..596ba609 100644 --- a/3.13/alpine/Dockerfile +++ b/3.13/alpine/Dockerfile @@ -5,7 +5,6 @@ # # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk! - FROM alpine:3.19 as build-base RUN apk add --no-cache \ @@ -201,10 +200,7 @@ ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.5","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.5?os_name=alpine&os_version=3.19"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=alpine&os_version=3.19"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH @@ -303,9 +299,7 @@ RUN set -eux; \ su-exec rabbitmq rabbitmqctl list_ciphers; \ su-exec rabbitmq rabbitmq-plugins list; \ # no stale cookies - rm "$RABBITMQ_DATA_DIR/.erlang.cookie";\ - \ - echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"rabbitmq-sbom","packages":[{"name":"rabbitmq","versionInfo":"3.13.2","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/rabbitmq@3.13.2?os_name=alpine&os_version=3.19"}],"licenseDeclared":"MPL-2.0 AND Apache-2.0"}]}' > $RABBITMQ_HOME/rabbitmq.spdx.json; + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) RUN su-exec rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus diff --git a/3.13/ubuntu/Dockerfile b/3.13/ubuntu/Dockerfile index f4af8984..9e2751ec 100644 --- a/3.13/ubuntu/Dockerfile +++ b/3.13/ubuntu/Dockerfile @@ -6,7 +6,6 @@ # The official Canonical Ubuntu Focal image is ideal from a security perspective, # especially for the enterprises that we, the RabbitMQ team, have to deal with - FROM ubuntu:22.04 as build-base ARG BUILDKIT_SBOM_SCAN_STAGE=true @@ -200,10 +199,7 @@ FROM ubuntu:22.04 ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.5","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH @@ -297,9 +293,7 @@ RUN set -eux; \ gosu rabbitmq rabbitmqctl list_ciphers; \ gosu rabbitmq rabbitmq-plugins list; \ # no stale cookies - rm "$RABBITMQ_DATA_DIR/.erlang.cookie"; \ - \ - echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"rabbitmq-sbom","packages":[{"name":"rabbitmq","versionInfo":"3.13.2","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/rabbitmq@3.13.2?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"MPL-2.0 AND Apache-2.0"}]}' > $RABBITMQ_HOME/rabbitmq.spdx.json + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) RUN gosu rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index d98ae9d4..114f9daa 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -1,5 +1,4 @@ # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk! -{{ include ".template-helper-functions" }} FROM alpine:{{ .alpine.version }} as build-base RUN apk add --no-cache \ @@ -235,34 +234,7 @@ ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{{ - { - name: "erlang", - version: .otp.version, - params: { - os_name: "alpine", - os_version: .alpine.version - }, - licenses: [ - "Apache-2.0" - ] - } | sbom | tostring - }}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{{ - { - name: "openssl", - version: .openssl.version, - params: { - os_name: "alpine", - os_version: .alpine.version - }, - licenses: [ - "Apache-2.0" - ] - } | sbom | tostring - }}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH @@ -361,22 +333,7 @@ RUN set -eux; \ su-exec rabbitmq rabbitmqctl list_ciphers; \ su-exec rabbitmq rabbitmq-plugins list; \ # no stale cookies - rm "$RABBITMQ_DATA_DIR/.erlang.cookie";\ - \ - echo '{{ - { - name: "rabbitmq", - version: .version, - params: { - os_name: "alpine", - os_version: .alpine.version - }, - licenses: [ - "MPL-2.0", - "Apache-2.0" - ] - } | sbom | tostring - }}' > $RABBITMQ_HOME/rabbitmq.spdx.json; + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) RUN su-exec rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 1f87bee3..c3684fb6 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -1,6 +1,5 @@ # The official Canonical Ubuntu Focal image is ideal from a security perspective, # especially for the enterprises that we, the RabbitMQ team, have to deal with -{{ include ".template-helper-functions" }} FROM ubuntu:{{ .ubuntu.version }} as build-base ARG BUILDKIT_SBOM_SCAN_STAGE=true @@ -234,34 +233,7 @@ FROM ubuntu:{{ .ubuntu.version }} ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{{ - { - name: "erlang", - version: .otp.version, - params: { - os_name: "ubuntu", - os_version: .ubuntu.version - }, - licenses: [ - "Apache-2.0" - ] - } | sbom | tostring - }}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{{ - { - name: "openssl", - version: .openssl.version, - params: { - os_name: "ubuntu", - os_version: .ubuntu.version - }, - licenses: [ - "Apache-2.0" - ] - } | sbom | tostring - }}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH @@ -355,22 +327,7 @@ RUN set -eux; \ gosu rabbitmq rabbitmqctl list_ciphers; \ gosu rabbitmq rabbitmq-plugins list; \ # no stale cookies - rm "$RABBITMQ_DATA_DIR/.erlang.cookie"; \ - \ - echo '{{ - { - name: "rabbitmq", - version: .version, - params: { - os_name: "ubuntu", - os_version: .ubuntu.version - }, - licenses: [ - "MPL-2.0", - "Apache-2.0" - ] - } | sbom | tostring - }}' > $RABBITMQ_HOME/rabbitmq.spdx.json + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419) RUN gosu rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus diff --git a/apply-templates.sh b/apply-templates.sh index c44178d6..3d1091c4 100755 --- a/apply-templates.sh +++ b/apply-templates.sh @@ -13,14 +13,6 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk' fi -jqf='.template-helper-functions.jq' -if [ -n "${BASHBREW_SCRIPTS:-}" ]; then - jqf="$BASHBREW_SCRIPTS/template-helper-functions.jq" -elif [ "$BASH_SOURCE" -nt "$jqf" ]; then - # https://github.com/docker-library/bashbrew/blob/master/scripts/template-helper-functions.jq - wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/5a86c34c5a3ef370b3d22c398d45ccab53bd64bd/scripts/template-helper-functions.jq' -fi - if [ "$#" -eq 0 ]; then versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)" eval "set -- $versions"