mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 16:33:21 +01:00
afc0c1acd9
Add source.NewFromRegistry function so that the syft attest command can always explicitly ask for an OCIRegistry provider rather than rely on local daemon detection for image sources. Attestation can not be used where local images loaded in a daemon are the source. Digest values for the layer identification step in attestation can sometimes vary across workstations. This fix makes it so that attest is generating an SBOM for, and attesting to, a source that exists in an OCI registry. It should never load a source from a local user docker/podman daemon. Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
78 lines
2.4 KiB
Go
78 lines
2.4 KiB
Go
package integration
|
|
|
|
import (
|
|
"github.com/stretchr/testify/require"
|
|
"testing"
|
|
|
|
"github.com/anchore/syft/syft/pkg/cataloger"
|
|
|
|
"github.com/anchore/syft/syft/sbom"
|
|
|
|
"github.com/anchore/stereoscope/pkg/imagetest"
|
|
"github.com/anchore/syft/syft"
|
|
"github.com/anchore/syft/syft/source"
|
|
)
|
|
|
|
func catalogFixtureImage(t *testing.T, fixtureImageName string) (sbom.SBOM, *source.Source) {
|
|
imagetest.GetFixtureImage(t, "docker-archive", fixtureImageName)
|
|
tarPath := imagetest.GetFixtureImageTarPath(t, fixtureImageName)
|
|
userInput := "docker-archive:" + tarPath
|
|
sourceInput, err := source.ParseInput(userInput, false)
|
|
require.NoError(t, err)
|
|
theSource, cleanupSource, err := source.New(*sourceInput, nil, nil)
|
|
t.Cleanup(cleanupSource)
|
|
require.NoError(t, err)
|
|
|
|
// TODO: this would be better with functional options (after/during API refactor)
|
|
c := cataloger.DefaultConfig()
|
|
c.Search.Scope = source.SquashedScope
|
|
pkgCatalog, relationships, actualDistro, err := syft.CatalogPackages(theSource, c)
|
|
if err != nil {
|
|
t.Fatalf("failed to catalog image: %+v", err)
|
|
}
|
|
|
|
return sbom.SBOM{
|
|
Artifacts: sbom.Artifacts{
|
|
PackageCatalog: pkgCatalog,
|
|
LinuxDistribution: actualDistro,
|
|
},
|
|
Relationships: relationships,
|
|
Source: theSource.Metadata,
|
|
Descriptor: sbom.Descriptor{
|
|
Name: "syft",
|
|
Version: "v0.42.0-bogus",
|
|
// the application configuration should be persisted here, however, we do not want to import
|
|
// the application configuration in this package (it's reserved only for ingestion by the cmd package)
|
|
Configuration: map[string]string{
|
|
"config-key": "config-value",
|
|
},
|
|
},
|
|
}, theSource
|
|
}
|
|
|
|
func catalogDirectory(t *testing.T, dir string) (sbom.SBOM, *source.Source) {
|
|
userInput := "dir:" + dir
|
|
sourceInput, err := source.ParseInput(userInput, false)
|
|
require.NoError(t, err)
|
|
theSource, cleanupSource, err := source.New(*sourceInput, nil, nil)
|
|
t.Cleanup(cleanupSource)
|
|
require.NoError(t, err)
|
|
|
|
// TODO: this would be better with functional options (after/during API refactor)
|
|
c := cataloger.DefaultConfig()
|
|
c.Search.Scope = source.AllLayersScope
|
|
pkgCatalog, relationships, actualDistro, err := syft.CatalogPackages(theSource, c)
|
|
if err != nil {
|
|
t.Fatalf("failed to catalog image: %+v", err)
|
|
}
|
|
|
|
return sbom.SBOM{
|
|
Artifacts: sbom.Artifacts{
|
|
PackageCatalog: pkgCatalog,
|
|
LinuxDistribution: actualDistro,
|
|
},
|
|
Relationships: relationships,
|
|
Source: theSource.Metadata,
|
|
}, theSource
|
|
}
|