Merge pull request #46 from infosiftr/allowlist-denylist

Maintain inclusion/exclusion criteria (meta, SBOMs, signing) here

Author: yosifkit

.test/meta-commands/out.sh

@@ -6,7 +6,6 @@
 SOURCE_DATE_EPOCH=1700741054 \
 	docker buildx build --progress=plain \
 	--provenance=mode=max \
-	--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
 	--output '"type=oci","dest=temp.tar"' \
 	--annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
 	--annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \

Jenkinsfile.meta

@@ -40,6 +40,17 @@ node {
 			sh '''
 				git submodule update --remote --merge .doi
 				git submodule update --remote --merge .scripts
+
+				# TODO once "repos_anti_subset" in "doi.jq" is empty, we can remove this (and all associated usages of "subset.txt" can just be "--all" or go away completely)
+				# in all the places we need to interact with our "subset" it's a lot easier to have an explicit list of what's included, so we'll continue to generate "subset.txt" until it contains the full set
+				bashbrew list --all --repos | jq -L.scripts -rsR '
+					include "doi";
+					rtrimstr("\n")
+					| split("\n")
+					| . - repos_anti_subset
+					| join("\n")
+				' > subset.txt
+				git add subset.txt
 			'''
 		}
 

doi.jq

@@ -0,0 +1,186 @@
+# our old "subset.txt", but inverted
+# this way, we can "fail open" correctly (new images should be part of meta by default)
+# see "Jenkinsfile.meta" for how/why this turns into "subset.txt"
+def repos_anti_subset:
+	[
+		# as we remove items from this list, we need to be careful that none of their *children* are still in the list
+		# (which is why this is sorted in rough "build order" -- that means we can ~safely "pop" off the bottom)
+
+		"almalinux", # direct children: crate
+		"alpine", # direct children: amazoncorretto amazonlinux api-firewall arangodb archlinux bash bonita caddy chronograf consul docker eclipse-mosquitto eclipse-temurin eggdrop erlang fluentd golang haproxy haxe httpd influxdb irssi jobber julia kapacitor kong liquibase memcached nats nats-streaming nginx node notary php postgres python rabbitmq rakudo-star redis registry ruby rust spiped teamspeak telegraf traefik varnish vault znc
+		"alt",
+		"amazonlinux", # direct children: amazoncorretto swift
+		"api-firewall",
+		"arangodb",
+		"archlinux",
+		"bonita",
+		"centos", # direct children: eclipse-temurin ibm-semeru-runtimes percona swift
+		"clearlinux",
+		"clefos",
+		"consul",
+		"crate",
+		"debian", # direct children: adminer aerospike buildpack-deps chronograf clojure couchdb dart emqx erlang haproxy haskell hitch httpd influxdb irssi julia maven memcached mono mysql neo4j neurodebian nginx node odoo openjdk perl php postgres pypy python r-base redis rethinkdb rocket.chat ruby rust spiped swipl unit varnish
+		"eclipse-mosquitto",
+		"eggdrop",
+		"emqx",
+		"express-gateway",
+		"hitch",
+		"jobber",
+		"mageia",
+		"mono",
+		"nats",
+		"nats-streaming",
+		"oraclelinux", # direct children: mysql openjdk percona
+		"percona",
+		"photon",
+		"php", # direct children: backdrop composer drupal friendica joomla matomo mediawiki monica nextcloud phpmyadmin postfixadmin unit wordpress yourls
+		"php-zendserver",
+		"phpmyadmin",
+		"postfixadmin",
+		"r-base",
+		"rocket.chat",
+		"rockylinux",
+		"sl",
+		"spiped",
+		"teamspeak",
+		"traefik",
+		"ubuntu", # direct children: buildpack-deps couchbase eclipse-temurin elasticsearch gazebo gradle ibmjava ibm-semeru-runtimes kibana kong logstash mariadb mongo neurodebian odoo php-zendserver rabbitmq ros sapmachine silverpeas swift
+		"varnish",
+		"vault",
+		"yourls",
+		"znc",
+		"adminer",
+		"aerospike",
+		"amazoncorretto", # direct children: jetty maven tomcat
+		"backdrop",
+		"buildpack-deps", # direct children: erlang gcc golang haskell haxe influxdb kapacitor node openjdk perl pypy python rakudo-star ruby rust telegraf
+		"composer", # direct children: drupal
+		"couchbase",
+		"dart",
+		"eclipse-temurin", # direct children: cassandra clojure flink gradle groovy jetty jruby lightstreamer liquibase maven neo4j orientdb solr sonarqube spark storm tomcat tomee unit zookeeper
+		"erlang", # direct children: elixir
+		"friendica",
+		"gazebo",
+		"groovy",
+		"haskell",
+		"haxe",
+		"ibm-semeru-runtimes", # direct children: maven open-liberty tomee websphere-liberty
+		"ibmjava", # direct children: maven websphere-liberty
+		"jetty", # direct children: geonetwork
+		"joomla",
+		"kong",
+		"lightstreamer",
+		"liquibase",
+		"matomo",
+		"mediawiki",
+		"monica",
+		"neurodebian",
+		"nextcloud",
+		"node", # direct children: express-gateway ghost mongo-express unit
+		"odoo",
+		"open-liberty",
+		"orientdb",
+		"python", # direct children: hylang plone satosa unit
+		"rakudo-star",
+		"ros",
+		"sapmachine", # direct children: maven
+		"satosa",
+		"silverpeas",
+		"spark",
+		"storm",
+		"swift",
+		"tomcat", # direct children: convertigo geonetwork xwiki
+		"tomee",
+		"websphere-liberty",
+		"clojure",
+		"convertigo",
+		"geonetwork",
+		"maven",
+		"plone",
+
+		empty
+	]
+;
+
+# a helper for "build_should_sbom"
+def _sbom_subset:
+	[
+		# only repositories we have explicitly verified
+		"bash",
+		"buildpack-deps",
+		"busybox",
+		"caddy",
+		"cassandra",
+		"chronograf",
+		"couchdb",
+		"drupal",
+		"eclipse-temurin",
+		"elasticsearch",
+		"flink",
+		"fluentd",
+		"gcc",
+		"ghost",
+		"gradle",
+		"haproxy",
+		"httpd",
+		"hylang",
+		"influxdb",
+		"jruby",
+		"julia",
+		"kapacitor",
+		"kibana",
+		"logstash",
+		"mariadb",
+		"memcached",
+		"mongo",
+		"mongo-express",
+		"mysql",
+		"neo4j",
+		"nginx",
+		"openjdk",
+		"perl",
+		"php",
+		"postgres",
+		"pypy",
+		"python",
+		"rabbitmq",
+		"redis",
+		"registry",
+		"rethinkdb",
+		"ruby",
+		"rust",
+		"solr",
+		"sonarqube",
+		"telegraf",
+		"tomcat",
+		"wordpress",
+		"xwiki",
+		"zookeeper",
+		empty
+	]
+;
+
+# input: "build" object (with "buildId" top level key)
+# output: boolean
+def build_should_sbom:
+	.source.arches[.build.arch].tags
+	| map(split(":")[0])
+	| unique
+	| _sbom_subset as $subset
+	| any(.[];
+		. as $i
+		| $subset
+		| index($i)
+	)
+;
+
+# input: "build" object (with "buildId" top level key)
+# output: boolean
+def build_should_sign:
+	.build.arch == "amd64" and (
+		.source.arches[.build.arch].tags
+		| map(split(":")[0])
+		| unique
+		| index("notary")
+	)
+;

meta.jq

@@ -1,3 +1,6 @@
+# "build_should_sbom", etc.
+include "doi";
+
 # input: "build" object (with "buildId" top level key)
 # output: boolean
 def needs_build:
@@ -17,27 +20,6 @@ def normalized_builder:
 		end
 	else . end
 ;
-def docker_uses_containerd_storage:
-	# TODO somehow detect docker-with-containerd-storage
-	false
-;
-# input: "build" object (with "buildId" top level key)
-# output: boolean
-def should_use_docker_buildx_driver:
-	normalized_builder == "buildkit"
-	and (
-		docker_uses_containerd_storage
-		or (
-			.build.arch as $arch
-			# bashbrew remote arches --json tianon/buildkit:0.12 | jq '.arches | keys_unsorted' -c
-			| ["amd64","arm32v5","arm32v6","arm32v7","arm64v8","i386","mips64le","ppc64le","riscv64","s390x"]
-			# TODO this needs to be based on the *host* architecture, not the *target* architecture (amd64 vs i386)
-			| index($arch)
-			| not
-			# TODO "failed to read dockerfile: failed to load cache key: subdir not supported yet" asdflkjalksdjfklasdjfklajsdklfjasdklgfnlkasdfgbhnkljasdhgouiahsdoifjnask,.dfgnklasdbngoikasdhfoiasjdklfjasdlkfjalksdjfkladshjflikashdbgiohasdfgiohnaskldfjhnlkasdhfnklasdhglkahsdlfkjasdlkfjadsklfjsdl (hence "tianon/buildkit" instead of "moby/buildkit"; need *all* the arches we care about/support for consistent support)
-		)
-	)
-;
 # input: "docker.io/library/foo:bar"
 # output: "foo:bar"
 def normalize_ref_to_docker:
@@ -48,7 +30,7 @@ def normalize_ref_to_docker:
 # output: string "pull command" ("docker pull ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail", might be empty
 def pull_command:
 	normalized_builder as $builder
-	| if $builder == "classic" or should_use_docker_buildx_driver then
+	| if $builder == "classic" then
 		[
 			(
 				.build.resolvedParents
@@ -151,63 +133,50 @@ def build_command:
 	normalized_builder as $builder
 	| if $builder == "buildkit" then
 		git_build_url as $buildUrl
-		| (
-			(should_use_docker_buildx_driver | not)
-			or docker_uses_containerd_storage
-		) as $supportsAnnotationsAndAttestsations
 		| [
 			(
 				[
 					@sh "SOURCE_DATE_EPOCH=\(.source.entry.SOURCE_DATE_EPOCH)",
 					# TODO EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=<(jq ...)
 					"docker buildx build --progress=plain",
-					if $supportsAnnotationsAndAttestsations then
-						"--provenance=mode=max",
+					"--provenance=mode=max",
+					if build_should_sbom then
 						# see "bashbrew remote arches docker/scout-sbom-indexer:1" (we need the SBOM scanner to be runnable on the host architecture)
 						# bashbrew remote arches --json docker/scout-sbom-indexer:1 | jq '.arches | keys_unsorted' -c
 						if .build.arch as $arch | ["amd64","arm32v5","arm32v7","arm64v8","i386","ppc64le","riscv64","s390x"] | index($arch) then
 							# TODO this needs to be based on the *host* architecture, not the *target* architecture (amd64 vs i386)
 							"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\""
-							# TODO this should also be totally optional -- for example, Tianon doesn't want SBOMs on his personal images
-						else empty end,
-						empty
+						else empty end
 					else empty end,
 					"--output " + (
 						[
-							if should_use_docker_buildx_driver then
-								"type=docker"
-							else
-								"type=oci",
-								"dest=temp.tar", # TODO choose/find a good "safe" place to put this (temporarily)
-								empty
-							end,
+							"type=oci",
+							"dest=temp.tar", # TODO choose/find a good "safe" place to put this (temporarily)
 							empty
 						]
 						| @csv
 						| @sh
 					),
 					(
-						if $supportsAnnotationsAndAttestsations then
-							build_annotations($buildUrl)
-							| to_entries
-							# separate loops so that "image manifest" annotations are grouped separate from the index/descriptor annotations (easier to read)
-							| (
-								.[]
-								| @sh "--annotation \(.key + "=" + .value)"
-							),
-							(
-								.[]
-								| @sh "--annotation \(
-									"manifest-descriptor:" + .key + "="
-									+ if .key == "org.opencontainers.image.created" then
-										# the "current" time breaks reproducibility (for the purposes of build verification), so we put "now" in the image index but "SOURCE_DATE_EPOCH" in the image manifest (which is the thing we'd ideally like to have reproducible, eventually)
-										(env.SOURCE_DATE_EPOCH // now) | tonumber | strftime("%FT%TZ")
-										# (this assumes the actual build is going to happen shortly after generating the command)
-									else .value end
-								)",
-								empty
-							)
-						else empty end
+						build_annotations($buildUrl)
+						| to_entries
+						# separate loops so that "image manifest" annotations are grouped separate from the index/descriptor annotations (easier to read)
+						| (
+							.[]
+							| @sh "--annotation \(.key + "=" + .value)"
+						),
+						(
+							.[]
+							| @sh "--annotation \(
+								"manifest-descriptor:" + .key + "="
+								+ if .key == "org.opencontainers.image.created" then
+									# the "current" time breaks reproducibility (for the purposes of build verification), so we put "now" in the image index but "SOURCE_DATE_EPOCH" in the image manifest (which is the thing we'd ideally like to have reproducible, eventually)
+									(env.SOURCE_DATE_EPOCH // now) | tonumber | strftime("%FT%TZ")
+									# (this assumes the actual build is going to happen shortly after generating the command)
+								else .value end
+							)",
+							empty
+						)
 					),
 					(
 						(
@@ -233,24 +202,21 @@ def build_command:
 					empty
 				] | join(" \\\n\t")
 			),
-			if should_use_docker_buildx_driver then empty else
-				# munge the tarball into a suitable "oci layout" directory (ready for "crane push")
-				"mkdir temp",
-				"tar -xvf temp.tar -C temp",
-				"rm temp.tar",
-				# munge the index to what crane wants ("Error: layout contains 5 entries, consider --index")
-				@sh "jq \("
-					.manifests |= (
-						del(.[].annotations)
-						| unique
-						| if length != 1 then
-							error(\"unexpected number of manifests: \" + length)
-						else . end
-					)
-				" | unindent_and_decomment_jq(4)) temp/index.json > temp/index.json.new",
-				"mv temp/index.json.new temp/index.json",
-				empty
-			end,
+			# munge the tarball into a suitable "oci layout" directory (ready for "crane push")
+			"mkdir temp",
+			"tar -xvf temp.tar -C temp",
+			"rm temp.tar",
+			# munge the index to what crane wants ("Error: layout contains 5 entries, consider --index")
+			@sh "jq \("
+				.manifests |= (
+					del(.[].annotations)
+					| unique
+					| if length != 1 then
+						error(\"unexpected number of manifests: \" + length)
+					else . end
+				)
+			" | unindent_and_decomment_jq(3)) temp/index.json > temp/index.json.new",
+			"mv temp/index.json.new temp/index.json",
 			# possible improvements in buildkit/buildx that could help us:
 			# - allowing OCI output directly to a directory instead of a tar (thus getting symmetry with the oci-layout:// inputs it can take)
 			# - allowing tag as one thing and push as something else, potentially mutually exclusive
@@ -365,7 +331,7 @@ def build_command:
 # output: string "push command" ("docker push ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
 def push_command:
 	normalized_builder as $builder
-	| if $builder == "classic" or should_use_docker_buildx_driver then
+	| if $builder == "classic" then
 		@sh "docker push \(.build.img)"
 	elif $builder == "buildkit" then
 		[