From a84b199601881e7aeb203712dc175627e2eb940d Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Wed, 20 Sep 2023 16:38:57 -0400 Subject: [PATCH] Added attestation from intermediate multi-stage build steps --- 3.10/alpine/Dockerfile | 4 ++++ 3.10/ubuntu/Dockerfile | 6 ++++++ 3.11/alpine/Dockerfile | 4 ++++ 3.11/ubuntu/Dockerfile | 6 ++++++ 3.12/alpine/Dockerfile | 4 ++++ 3.12/ubuntu/Dockerfile | 6 ++++++ 3.13-rc/alpine/Dockerfile | 4 ++++ 3.13-rc/ubuntu/Dockerfile | 6 ++++++ 3.9/alpine/Dockerfile | 4 ++++ 3.9/ubuntu/Dockerfile | 6 ++++++ Dockerfile-alpine.template | 4 ++++ Dockerfile-ubuntu.template | 6 ++++++ 12 files changed, 60 insertions(+) diff --git a/3.10/alpine/Dockerfile b/3.10/alpine/Dockerfile index 8ee87eb6..4985eee9 100644 --- a/3.10/alpine/Dockerfile +++ b/3.10/alpine/Dockerfile @@ -18,6 +18,8 @@ RUN apk add --no-cache \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ # /usr/local/src doesn't exist in Alpine by default mkdir -p /usr/local/src; \ diff --git a/3.10/ubuntu/Dockerfile b/3.10/ubuntu/Dockerfile index ae3f9ca9..0ace6eca 100644 --- a/3.10/ubuntu/Dockerfile +++ b/3.10/ubuntu/Dockerfile @@ -8,6 +8,8 @@ # especially for the enterprises that we, the RabbitMQ team, have to deal with FROM ubuntu:22.04 as build-base +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -19,6 +21,8 @@ RUN set -eux; \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ diff --git a/3.11/alpine/Dockerfile b/3.11/alpine/Dockerfile index 57217eb3..8e316f09 100644 --- a/3.11/alpine/Dockerfile +++ b/3.11/alpine/Dockerfile @@ -18,6 +18,8 @@ RUN apk add --no-cache \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ # /usr/local/src doesn't exist in Alpine by default mkdir -p /usr/local/src; \ diff --git a/3.11/ubuntu/Dockerfile b/3.11/ubuntu/Dockerfile index 6aba6d26..93d82afc 100644 --- a/3.11/ubuntu/Dockerfile +++ b/3.11/ubuntu/Dockerfile @@ -8,6 +8,8 @@ # especially for the enterprises that we, the RabbitMQ team, have to deal with FROM ubuntu:22.04 as build-base +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -19,6 +21,8 @@ RUN set -eux; \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ diff --git a/3.12/alpine/Dockerfile b/3.12/alpine/Dockerfile index 6ebeb09c..57a91c90 100644 --- a/3.12/alpine/Dockerfile +++ b/3.12/alpine/Dockerfile @@ -18,6 +18,8 @@ RUN apk add --no-cache \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ # /usr/local/src doesn't exist in Alpine by default mkdir -p /usr/local/src; \ diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile index 1773d22f..9d42e3ea 100644 --- a/3.12/ubuntu/Dockerfile +++ b/3.12/ubuntu/Dockerfile @@ -8,6 +8,8 @@ # especially for the enterprises that we, the RabbitMQ team, have to deal with FROM ubuntu:22.04 as build-base +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -19,6 +21,8 @@ RUN set -eux; \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ diff --git a/3.13-rc/alpine/Dockerfile b/3.13-rc/alpine/Dockerfile index 643ddd46..6a8c00d6 100644 --- a/3.13-rc/alpine/Dockerfile +++ b/3.13-rc/alpine/Dockerfile @@ -18,6 +18,8 @@ RUN apk add --no-cache \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ # /usr/local/src doesn't exist in Alpine by default mkdir -p /usr/local/src; \ diff --git a/3.13-rc/ubuntu/Dockerfile b/3.13-rc/ubuntu/Dockerfile index fad8d871..b0360e77 100644 --- a/3.13-rc/ubuntu/Dockerfile +++ b/3.13-rc/ubuntu/Dockerfile @@ -8,6 +8,8 @@ # especially for the enterprises that we, the RabbitMQ team, have to deal with FROM ubuntu:22.04 as build-base +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -19,6 +21,8 @@ RUN set -eux; \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ diff --git a/3.9/alpine/Dockerfile b/3.9/alpine/Dockerfile index b09522a5..bd0ff2ba 100644 --- a/3.9/alpine/Dockerfile +++ b/3.9/alpine/Dockerfile @@ -18,6 +18,8 @@ RUN apk add --no-cache \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ # /usr/local/src doesn't exist in Alpine by default mkdir -p /usr/local/src; \ diff --git a/3.9/ubuntu/Dockerfile b/3.9/ubuntu/Dockerfile index 286e06b1..036fc86d 100644 --- a/3.9/ubuntu/Dockerfile +++ b/3.9/ubuntu/Dockerfile @@ -8,6 +8,8 @@ # especially for the enterprises that we, the RabbitMQ team, have to deal with FROM ubuntu:22.04 as build-base +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -19,6 +21,8 @@ RUN set -eux; \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index aed10a6e..5ce9deea 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -12,6 +12,8 @@ RUN apk add --no-cache \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -145,6 +147,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ # /usr/local/src doesn't exist in Alpine by default mkdir -p /usr/local/src; \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 3dd4faf3..f9266bfe 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -2,6 +2,8 @@ # especially for the enterprises that we, the RabbitMQ team, have to deal with FROM ubuntu:{{ .ubuntu.version }} as build-base +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -13,6 +15,8 @@ RUN set -eux; \ FROM build-base as openssl-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally ARG PGP_KEYSERVER=keyserver.ubuntu.com # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, @@ -145,6 +149,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder +ARG BUILDKIT_SBOM_SCAN_STAGE=true + RUN set -eux; \ OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \