Make the notary version detectable#37
Conversation
LaurentGoderre
force-pushed
the
version-auto-detect
branch
from
2649822 to
8dedc9a
Compare
LaurentGoderre
force-pushed
the
version-auto-detect
branch
from
8dedc9a to
dbdbf02
Compare
LaurentGoderre
force-pushed
the
version-auto-detect
branch
from
e0ce045 to
cf64d96
Compare
tianon-sso
left a comment
tianon-sso
left a comment
There was a problem hiding this comment.
We'll also probably need to bump the Alpine version 😭
whalelines
left a comment
whalelines
left a comment
There was a problem hiding this comment.
Can the rationale for moving from an intermediate image to a two-stage build be given in the PR description?
| - run: | | ||
| docker build notary-builder --tag notary:builder | ||
| tag="$(docker run --rm notary:builder sh -c 'echo $TAG' | awk '{gsub(/^v/, ""); print}')" | ||
| docker tag notary:builder "notary:${tag}-builder" |
There was a problem hiding this comment.
Why is the builder variant being removed?
There was a problem hiding this comment.
| @@ -1,3 +1,31 @@ | |||
| FROM golang:1.19-alpine{{ .alpine }} AS build | |||
There was a problem hiding this comment.
Perhaps #36 should just be closed and its changes included in this PR?
| WORKDIR /go/src/$NOTARYPKG | ||
| RUN set -eux; \ | ||
| git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \ | ||
| # In case the version in file doens't match the tag (like in 0.7.0) |
There was a problem hiding this comment.
| # In case the version in file doens't match the tag (like in 0.7.0) | |
| # In case the version in file doesn't match the tag (like in 0.7.0) |
There was a problem hiding this comment.
When version 0.7.0 was release, the main file used in the code to determine the version wasn't bumped.
This is the 0.7.0 commit where the version is wrong.
https://github.com/notaryproject/notary/blob/b0b6bfdd4933081e8d5ae026b24e8337311dd598/NOTARY_VERSION
|
|
||
| RUN apk add --no-cache git make | ||
|
|
||
| ENV NOTARYPKG github.com/theupdateframework/notary |
There was a problem hiding this comment.
| ENV NOTARYPKG github.com/theupdateframework/notary | |
| ENV NOTARYPKG github.com/notaryproject/notary |
There was a problem hiding this comment.
This must match what is in the go manifest which in version 0.7.0 is still that one as per:
https://github.com/notaryproject/notary/blob/b0b6bfdd4933081e8d5ae026b24e8337311dd598/go.mod#L1
There was a problem hiding this comment.
They are the same repo, theupdateframework/notary redirects to notaryproject/notary, as your link shows.
There was a problem hiding this comment.
Right, but this is used in the Go modules, so it has to match what Go thinks the module name is 🙃
There was a problem hiding this comment.
Exactly! It's confusing I know
There was a problem hiding this comment.
Careful; the module wasn't renamed yet in the current release though (still uses github.com/theupdateframework/notary); https://github.com/notaryproject/notary/blob/v0.7.0/go.mod#L1
i.e. github.com/notaryproject/notary did not yet do a release
| go mod vendor; \ | ||
| # TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576) | ||
| # Make the version detectable by scanners | ||
| sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \ |
There was a problem hiding this comment.
| sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \ | |
| sed -i -E 's,(version\.NotaryVersion=\$\(NOTARY_VERSION\)),\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION),' Makefile; \ |
-r and -E are redundant, -E is more common.
I'd avoid using a regular expression special character, | in this case, as the substitution delimiter.
There was a problem hiding this comment.
Why not the special character? I've seen it done like this many time
There was a problem hiding this comment.
How would you use the special character? How would you escape it?
There was a problem hiding this comment.
I usually use -r, but -E is POSIX:
-E, -r, --regexp-extended
use extended regular expressions in the script (for portability
use POSIX -E).
Perhaps you meant -e, which is otherwise implied?
[-e script] [--expression=script]
...
[script-if-no-other-script]
...
-e script, --expression=script
add the script to the commands to be executed
There was a problem hiding this comment.
I usually use @ or ! as my "non-/ delimiter", but I don't think the exact choice matters that much here, right? If we want to use | in our regex in the future, it's pretty easy to swap then. 🤷
|
We can undo those change when this lands: notaryproject/notary#1704 |
5 participants
Syft is able to use the
ldflagsfrom go to properly detect the main version:https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/golang/parse_go_binary_test.go#L1034-L1039
In order to make this work, we would need to enable that feature in the Scout Scanner