Merge branch 'main' into feat-dups

* main:
  refactor: Remove experimental Anchore Enterprise upload functionality (anchore#1257)
  Update syft bootstrap tools to latest versions. (anchore#1254)
  Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (anchore#1253)
  Update syft bootstrap tools to latest versions. (anchore#1244)
  fix apkdb checksum representation (anchore#1247)
  feat: add identifiable field to source object (anchore#1243)
  feat: attest support for Singularity images (anchore#1201)
  Update syft bootstrap tools to latest versions. (anchore#1239)
  Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (anchore#1240)
  fix: Follow symlinks when searching for globs in all-layers scope (anchore#1221)

Makefile

@@ -7,13 +7,13 @@ LINTCMD = $(TEMPDIR)/golangci-lint run --tests=false --timeout=5m --config .gola
 GOIMPORTS_CMD = $(TEMPDIR)/gosimports -local github.com/anchore
 RELEASE_CMD=$(TEMPDIR)/goreleaser release --rm-dist
 SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot
-GOLANGCILINT_VERSION = v1.49.0
+GOLANGCILINT_VERSION = v1.50.0
 GOSIMPORTS_VERSION = v0.3.2
 BOUNCER_VERSION = v0.4.0
 CHRONICLE_VERSION = v0.4.1
-GORELEASER_VERSION = v1.11.4
+GORELEASER_VERSION = v1.11.5
 YAJSV_VERSION = v1.4.1
-COSIGN_VERSION = v1.12.1
+COSIGN_VERSION = v1.13.0
 
 # formatting variables
 BOLD := $(shell tput -T linux bold)

README.md

@@ -610,28 +610,6 @@ log:
   # location to write the log file (default is not to have a log file)
   # same as SYFT_LOG_FILE env var
   file: ""
-
-# uploading package SBOM is exposed through the packages subcommand
-anchore:
-  # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+)
-  # same as -H ; SYFT_ANCHORE_HOST env var
-  host: ""
-
-  # (feature-preview) the path after the host to the Anchore External API (supported on Enterprise 3.0+)
-  # same as SYFT_ANCHORE_PATH env var
-  path: ""
-
-  # (feature-preview) the username to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
-  # same as -u ; SYFT_ANCHORE_USERNAME env var
-  username: ""
-
-  # (feature-preview) the password to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
-  # same as -p ; SYFT_ANCHORE_PASSWORD env var
-  password: ""
-
-  # (feature-preview) path to dockerfile to be uploaded with the syft results to Anchore Enterprise (supported on Enterprise 3.0+)
-  # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
-  dockerfile: ""
 ```
 
 ### Adding an SBOM to an image as an attestation using Syft

cmd/syft/cli/attest/attest.go

@@ -10,7 +10,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/pkg/errors"
 	sigopts "github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
@@ -108,7 +107,7 @@ func Run(ctx context.Context, app *config.Application, ko sigopts.KeyOpts, args
 	subscription := eventBus.Subscribe()
 
 	return eventloop.EventLoop(
-		execWorker(app, *si, format, predicateType, sv, app.File),
+		execWorker(app, *si, format, predicateType, sv),
 		eventloop.SetupSignals(),
 		subscription,
 		stereoscope.Cleanup,
@@ -144,14 +143,15 @@ func parseImageSource(userInput string, app *config.Application) (s *source.Inpu
 	switch si.ImageSource {
 	case image.UnknownSource, image.OciRegistrySource:
 		si.ImageSource = image.OciRegistrySource
+	case image.SingularitySource:
 	default:
 		return nil, fmt.Errorf("attest command can only be used with image sources fetch directly from the registry, but discovered an image source of %q when given %q", si.ImageSource, userInput)
 	}
 
 	return si, nil
 }
 
-func execWorker(app *config.Application, sourceInput source.Input, format sbom.Format, predicateType string, sv *sign.SignerVerifier, file string) <-chan error {
+func execWorker(app *config.Application, sourceInput source.Input, format sbom.Format, predicateType string, sv *sign.SignerVerifier) <-chan error {
 	errs := make(chan error)
 	go func() {
 		defer close(errs)
@@ -177,75 +177,102 @@ func execWorker(app *config.Application, sourceInput source.Input, format sbom.F
 			return
 		}
 
-		err = generateAttestation(app, sbomBytes, src, sv, predicateType, file)
+		signedPayload, err := generateAttestation(sourceInput, sbomBytes, src, sv, predicateType)
 		if err != nil {
 			errs <- err
 			return
 		}
+
+		err = publishAttestation(app, signedPayload, src, sv)
+		if err != nil {
+			errs <- err
+			return
+		}
+
+		bus.Publish(partybus.Event{
+			Type: event.Exit,
+			Value: func() error {
+				return nil
+			},
+		})
 	}()
 	return errs
 }
 
-func generateAttestation(app *config.Application, predicate []byte, src *source.Source, sv *sign.SignerVerifier, predicateType string, file string) error {
-	switch len(src.Image.Metadata.RepoDigests) {
-	case 0:
-		return fmt.Errorf("cannot generate attestation since no repo digests were found; make sure you're passing an OCI registry source for the attest command")
-	case 1:
-	default:
-		return fmt.Errorf("cannot generate attestation since multiple repo digests were found for the image: %+v", src.Image.Metadata.RepoDigests)
-	}
+func generateAttestation(si source.Input, predicate []byte, src *source.Source, sv *sign.SignerVerifier, predicateType string) ([]byte, error) {
+	var h v1.Hash
 
-	wrapped := dsse.WrapSigner(sv, intotoJSONDsseType)
-	ref, err := name.ParseReference(src.Metadata.ImageMetadata.UserInput)
-	if err != nil {
-		return err
-	}
+	switch si.ImageSource {
+	case image.OciRegistrySource:
+		switch len(src.Image.Metadata.RepoDigests) {
+		case 0:
+			return nil, fmt.Errorf("cannot generate attestation since no repo digests were found; make sure you're passing an OCI registry source for the attest command")
+		case 1:
+			d, err := name.NewDigest(src.Image.Metadata.RepoDigests[0])
+			if err != nil {
+				return nil, err
+			}
+
+			h, err = v1.NewHash(d.Identifier())
+			if err != nil {
+				return nil, err
+			}
+		default:
+			return nil, fmt.Errorf("cannot generate attestation since multiple repo digests were found for the image: %+v", src.Image.Metadata.RepoDigests)
+		}
 
-	digest, err := ociremote.ResolveDigest(ref)
-	if err != nil {
-		return err
+	case image.SingularitySource:
+		var err error
+		h, err = v1.NewHash(src.Image.Metadata.ID)
+		if err != nil {
+			return nil, err
+		}
 	}
 
-	h, _ := v1.NewHash(digest.Identifier())
-
 	sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
 		Predicate: bytes.NewBuffer(predicate),
 		Type:      predicateType,
 		Digest:    h.Hex,
 	})
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	payload, err := json.Marshal(sh)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(context.Background()))
-	if err != nil {
-		return errors.Wrap(err, "unable to sign SBOM")
-	}
+	wrapped := dsse.WrapSigner(sv, intotoJSONDsseType)
+	return wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(context.Background()))
+}
 
+// publishAttestation publishes signedPayload to the location specified by the user.
+func publishAttestation(app *config.Application, signedPayload []byte, src *source.Source, sv *sign.SignerVerifier) error {
+	switch {
 	// We want to give the option to not upload the generated attestation
 	// if passed or if the user is using local PKI
-	if app.Attest.NoUpload || app.Attest.KeyRef != "" {
-		bus.Publish(partybus.Event{
-			Type: event.Exit,
-			Value: func() error {
-				var err error
-				if file != "" {
-					err = os.WriteFile(file, signedPayload, 0600)
-				} else {
-					_, err = os.Stdout.Write(signedPayload)
-				}
-				return err
-			},
-		})
-		return nil
-	}
+	case app.Attest.NoUpload || app.Attest.KeyRef != "":
+		if app.File != "" {
+			return os.WriteFile(app.File, signedPayload, 0600)
+		}
 
-	return uploadAttestation(app, signedPayload, digest, sv)
+		_, err := os.Stdout.Write(signedPayload)
+		return err
+
+	default:
+		ref, err := name.ParseReference(src.Metadata.ImageMetadata.UserInput)
+		if err != nil {
+			return err
+		}
+
+		digest, err := ociremote.ResolveDigest(ref)
+		if err != nil {
+			return err
+		}
+
+		return uploadAttestation(app, signedPayload, digest, sv)
+	}
 }
 
 func trackUploadAttestation() (*progress.Stage, *progress.Manual) {
@@ -324,12 +351,6 @@ func uploadAttestation(app *config.Application, signedPayload []byte, digest nam
 
 	prog.SetCompleted()
 
-	bus.Publish(partybus.Event{
-		Type: event.Exit,
-		Value: func() error {
-			return nil
-		},
-	})
 	return nil
 }
 

cmd/syft/cli/options/packages.go

@@ -14,19 +14,13 @@ import (
 )
 
 type PackagesOptions struct {
-	Scope                  string
-	Output                 []string
-	OutputTemplatePath     string
-	File                   string
-	Platform               string
-	Host                   string
-	Username               string
-	Password               string
-	Dockerfile             string
-	Exclude                []string
-	OverwriteExistingImage bool
-	ImportTimeout          uint
-	Catalogers             []string
+	Scope              string
+	Output             []string
+	OutputTemplatePath string
+	File               string
+	Platform           string
+	Exclude            []string
+	Catalogers         []string
 }
 
 var _ Interface = (*PackagesOptions)(nil)
@@ -47,30 +41,12 @@ func (o *PackagesOptions) AddFlags(cmd *cobra.Command, v *viper.Viper) error {
 	cmd.Flags().StringVarP(&o.Platform, "platform", "", "",
 		"an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')")
 
-	cmd.Flags().StringVarP(&o.Host, "host", "H", "",
-		"the hostname or URL of the Anchore Enterprise instance to upload to")
-
-	cmd.Flags().StringVarP(&o.Username, "username", "u", "",
-		"the username to authenticate against Anchore Enterprise")
-
-	cmd.Flags().StringVarP(&o.Password, "password", "p", "",
-		"the password to authenticate against Anchore Enterprise")
-
-	cmd.Flags().StringVarP(&o.Dockerfile, "dockerfile", "d", "",
-		"include dockerfile for upload to Anchore Enterprise")
-
 	cmd.Flags().StringArrayVarP(&o.Exclude, "exclude", "", nil,
 		"exclude paths from being scanned using a glob expression")
 
 	cmd.Flags().StringArrayVarP(&o.Catalogers, "catalogers", "", nil,
 		"enable one or more package catalogers")
 
-	cmd.Flags().BoolVarP(&o.OverwriteExistingImage, "overwrite-existing-image", "", false,
-		"overwrite an existing image during the upload to Anchore Enterprise")
-
-	cmd.Flags().UintVarP(&o.ImportTimeout, "import-timeout", "", 30,
-		"set a timeout duration (in seconds) for the upload to Anchore Enterprise")
-
 	return bindPackageConfigOptions(cmd.Flags(), v)
 }
 
@@ -105,31 +81,5 @@ func bindPackageConfigOptions(flags *pflag.FlagSet, v *viper.Viper) error {
 		return err
 	}
 
-	// Upload options //////////////////////////////////////////////////////////
-
-	if err := v.BindPFlag("anchore.host", flags.Lookup("host")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.username", flags.Lookup("username")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.password", flags.Lookup("password")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.dockerfile", flags.Lookup("dockerfile")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.overwrite-existing-image", flags.Lookup("overwrite-existing-image")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.import-timeout", flags.Lookup("import-timeout")); err != nil {
-		return err
-	}
-
 	return nil
 }