From 35988d53b70daefcdd67863f5b719559b911041a Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Mon, 15 Aug 2022 00:29:50 +0200 Subject: [PATCH 1/6] contributing files Signed-off-by: CrazyMax --- .github/CODE_OF_CONDUCT.md | 4 + .github/CONTRIBUTING.md | 286 +++++++++++++++++++++++++++++++++++++ LICENSE | 202 ++++++++++++++++++++++++++ README.md | 11 ++ readme.md | 1 - 5 files changed, 503 insertions(+), 1 deletion(-) create mode 100644 .github/CODE_OF_CONDUCT.md create mode 100644 .github/CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 README.md delete mode 100644 readme.md diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..cab302d --- /dev/null +++ b/.github/CODE_OF_CONDUCT.md @@ -0,0 +1,4 @@ +# Code of conduct + +- [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines) +- [Docker Code of Conduct](https://github.com/docker/code-of-conduct) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000..ae6aaac --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,286 @@ +# Contribute to the go-imageinspect project + +This page contains information about reporting issues as well as some tips and +guidelines useful to experienced open source contributors. + +## Reporting security issues + +The project maintainers take security seriously. If you discover a security +issue, please bring it to their attention right away! + +**Please _DO NOT_ file a public issue**, instead send your report privately to +[security@docker.com](mailto:security@docker.com). + +Security reports are greatly appreciated and we will publicly thank you for it. +We also like to send gifts—if you're into schwag, make sure to let +us know. We currently do not offer a paid security bounty program, but are not +ruling it out in the future. + + +## Reporting other issues + +A great way to contribute to the project is to send a detailed report when you +encounter an issue. We always appreciate a well-written, thorough bug report, +and will thank you for it! + +Check that [our issue database](https://github.com/docker/go-imageinspect/issues) +doesn't already include that problem or suggestion before submitting an issue. +If you find a match, you can use the "subscribe" button to get notified on +updates. Do *not* leave random "+1" or "I have this too" comments, as they +only clutter the discussion, and don't help resolving it. However, if you +have ways to reproduce the issue or have additional information that may help +resolving the issue, please leave a comment. + +Include the steps required to reproduce the problem if possible and applicable. +This information will help us review and fix your issue faster. When sending +lengthy log-files, consider posting them as an attachment, instead of posting +inline. + +**Do not forget to remove sensitive data from your logfiles before submitting** +(you can replace those parts with "REDACTED"). + +### Pull requests are always welcome + +Not sure if that typo is worth a pull request? Found a bug and know how to fix +it? Do it! We will appreciate it. + +If your pull request is not accepted on the first try, don't be discouraged! If +there's a problem with the implementation, hopefully you received feedback on +what to improve. + +We're trying very hard to keep Buildx lean and focused. We don't want it to +do everything for everybody. This means that we might decide against +incorporating a new feature. However, there might be a way to implement that +feature *on top of* Buildx. + +### Design and cleanup proposals + +You can propose new designs for existing features. You can also design +entirely new features. We really appreciate contributors who want to refactor or +otherwise cleanup our project. + +### Sign your work + +The sign-off is a simple line at the end of the explanation for the patch. Your +signature certifies that you wrote the patch or otherwise have the right to pass +it on as an open-source patch. The rules are pretty simple: if you can certify +the below (from [developercertificate.org](http://developercertificate.org/)): + +``` +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. +1 Letterman Drive +Suite D4700 +San Francisco, CA, 94129 + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` + +Then you just add a line to every git commit message: + + Signed-off-by: Joe Smith + +**Use your real name** (sorry, no pseudonyms or anonymous contributions.) + +If you set your `user.name` and `user.email` git configs, you can sign your +commit automatically with `git commit -s`. + +### Run the unit- and integration-tests + +To validate PRs before submitting them you should run: + +```console +$ docker buildx bake validate test +``` + +To generate new vendored with go modules run: + +```console +$ docker buildx bake vendor-update +``` + + +### Conventions + +- Fork the repository and make changes on your fork in a feature branch +- Submit tests for your changes. See [run the unit- and integration-tests](#run-the-unit--and-integration-tests) + for details. +- [Sign your work](#sign-your-work) + +Write clean code. Universally formatted code promotes ease of writing, reading, +and maintenance. Always run `gofmt -s -w file.go` on each changed file before +committing your changes. Most editors have plug-ins that do this automatically. + +Pull request descriptions should be as clear as possible and include a +reference to all the issues that they address. Be sure that the [commit +messages](#commit-messages) also contain the relevant information. + +### Successful Changes + +Before contributing large or high impact changes, make the effort to coordinate +with the maintainers of the project before submitting a pull request. This +prevents you from doing extra work that may or may not be merged. + +Large PRs that are just submitted without any prior communication are unlikely +to be successful. + +While pull requests are the methodology for submitting changes to code, changes +are much more likely to be accepted if they are accompanied by additional +engineering work. While we don't define this explicitly, most of these goals +are accomplished through communication of the design goals and subsequent +solutions. Often times, it helps to first state the problem before presenting +solutions. + +Typically, the best methods of accomplishing this are to submit an issue, +stating the problem. This issue can include a problem statement and a +checklist with requirements. If solutions are proposed, alternatives should be +listed and eliminated. Even if the criteria for elimination of a solution is +frivolous, say so. + +Larger changes typically work best with design documents. These are focused on +providing context to the design at the time the feature was conceived and can +inform future documentation contributions. + +### Commit Messages + +Commit messages must start with a capitalized and short summary (max. 50 chars) +written in the imperative, followed by an optional, more detailed explanatory +text which is separated from the summary by an empty line. + +Commit messages should follow best practices, including explaining the context +of the problem and how it was solved, including in caveats or follow up changes +required. They should tell the story of the change and provide readers +understanding of what led to it. + +If you're lost about what this even means, please see [How to Write a Git +Commit Message](http://chris.beams.io/posts/git-commit/) for a start. + +In practice, the best approach to maintaining a nice commit message is to +leverage a `git add -p` and `git commit --amend` to formulate a solid +changeset. This allows one to piece together a change, as information becomes +available. + +If you squash a series of commits, don't just submit that. Re-write the commit +message, as if the series of commits was a single stroke of brilliance. + +That said, there is no requirement to have a single commit for a PR, as long as +each commit tells the story. For example, if there is a feature that requires a +package, it might make sense to have the package in a separate commit then have +a subsequent commit that uses it. + +Remember, you're telling part of the story with the commit message. Don't make +your chapter weird. + +### Review + +Code review comments may be added to your pull request. Discuss, then make the +suggested modifications and push additional commits to your feature branch. Post +a comment after pushing. New commits show up in the pull request automatically, +but the reviewers are notified only when you comment. + +Pull requests must be cleanly rebased on top of master without multiple branches +mixed into the PR. + +> **Git tip**: If your PR no longer merges cleanly, use `rebase master` in your +> feature branch to update your pull request rather than `merge master`. + +Before you make a pull request, squash your commits into logical units of work +using `git rebase -i` and `git push -f`. A logical unit of work is a consistent +set of patches that should be reviewed together: for example, upgrading the +version of a vendored dependency and taking advantage of its now available new +feature constitute two separate units of work. Implementing a new function and +calling it in another file constitute a single logical unit of work. The very +high majority of submissions should have a single commit, so if in doubt: squash +down to one. + +- After every commit, [make sure the test suite passes](#run-the-unit--and-integration-tests). + Include documentation changes in the same pull request so that a revert would + remove all traces of the feature or fix. +- Include an issue reference like `closes #XXXX` or `fixes #XXXX` in the PR + description that close an issue. Including references automatically closes + the issue on a merge. +- Do not add yourself to the `AUTHORS` file, as it is regenerated regularly + from the Git history. +- See the [Coding Style](#coding-style) for further guidelines. + + +### Merge approval + +Project maintainers use LGTM (Looks Good To Me) in comments on the code review to +indicate acceptance, or use the Github review approval feature. + + +## Coding Style + +Unless explicitly stated, we follow all coding guidelines from the Go +community. While some of these standards may seem arbitrary, they somehow seem +to result in a solid, consistent codebase. + +It is possible that the code base does not currently comply with these +guidelines. We are not looking for a massive PR that fixes this, since that +goes against the spirit of the guidelines. All new contributions should make a +best effort to clean up and make the code base better than they left it. +Obviously, apply your best judgement. Remember, the goal here is to make the +code base easier for humans to navigate and understand. Always keep that in +mind when nudging others to comply. + +The rules: + +1. All code should be formatted with `gofmt -s`. +2. All code should pass the default levels of + [`golint`](https://github.com/golang/lint). +3. All code should follow the guidelines covered in [Effective + Go](http://golang.org/doc/effective_go.html) and [Go Code Review + Comments](https://github.com/golang/go/wiki/CodeReviewComments). +4. Comment the code. Tell us the why, the history and the context. +5. Document _all_ declarations and methods, even private ones. Declare + expectations, caveats and anything else that may be important. If a type + gets exported, having the comments already there will ensure it's ready. +6. Variable name length should be proportional to its context and no longer. + `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`. + In practice, short methods will have short variable names and globals will + have longer names. +7. No underscores in package names. If you need a compound name, step back, + and re-examine why you need a compound name. If you still think you need a + compound name, lose the underscore. +8. No utils or helpers packages. If a function is not general enough to + warrant its own package, it has not been written generally enough to be a + part of a util package. Just leave it unexported and well-documented. +9. All tests should run with `go test` and outside tooling should not be + required. No, we don't need another unit testing framework. Assertion + packages are acceptable if they provide _real_ incremental value. +10. Even though we call these "rules" above, they are actually just + guidelines. Since you've read all the rules, you now know that. + +If you are having trouble getting into the mood of idiomatic Go, we recommend +reading through [Effective Go](https://golang.org/doc/effective_go.html). The +[Go Blog](https://blog.golang.org) is also a great resource. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..a8c5bc2 --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +[![CI Status](https://img.shields.io/github/workflow/status/docker/go-imageinspect/ci?label=ci&logo=github&style=flat-square)](https://github.com/docker/go-imageinspect/actions?query=workflow%3Aci) + +## About + +Go library for accessing container images with their associated objects, typed +metadata and verified signatures. + +## Contributing + +Want to contribute? Awesome! You can find information about contributing to +this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md) diff --git a/readme.md b/readme.md deleted file mode 100644 index c1ff672..0000000 --- a/readme.md +++ /dev/null @@ -1 +0,0 @@ -Go library for accessing container images with their associated objects, typed metadata and verified signatures. \ No newline at end of file From 2ac94bc2e05c7d93669f66032ef4d0dae3f3f59c Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Fri, 19 Aug 2022 21:35:00 -0700 Subject: [PATCH 2/6] fix handling empty buildinfo in image config Signed-off-by: Tonis Tiigi --- buildinfo.go | 10 ++++++++-- sbom.go | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/buildinfo.go b/buildinfo.go index 15c0d33..aa1d286 100644 --- a/buildinfo.go +++ b/buildinfo.go @@ -10,6 +10,7 @@ import ( "github.com/containerd/containerd/remotes" binfotypes "github.com/moby/buildkit/util/buildinfo/types" ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/pkg/errors" ) func (l *Loader) scanBuildInfo(ctx context.Context, fetcher remotes.Fetcher, desc ocispec.Descriptor, img *Image) error { @@ -21,19 +22,24 @@ func (l *Loader) scanBuildInfo(ctx context.Context, fetcher remotes.Fetcher, des if err != nil { return err } + var cfg binfotypes.ImageConfig if err := json.Unmarshal(dt, &cfg); err != nil { return err } + if cfg.BuildInfo == "" { + return nil + } + dt, err = base64.StdEncoding.DecodeString(cfg.BuildInfo) if err != nil { - return err + return errors.Wrapf(err, "failed to decode buildinfo base64") } var bi binfotypes.BuildInfo if err := json.Unmarshal(dt, &bi); err != nil { - return err + return errors.Wrapf(err, "failed to decode buildinfo") } p := img.Provenance diff --git a/sbom.go b/sbom.go index aa64195..e7f89a6 100644 --- a/sbom.go +++ b/sbom.go @@ -163,7 +163,7 @@ func normalizeSBOM(sbom *SBOM) { func decodeSPDX(dt []byte) (s *spdx.Document2_2, err error) { defer func() { - // The spdx tools JSON parser is reported to be panicing sometimes + // The spdx tools JSON parser is reported to be panicking sometimes if v := recover(); v != nil { s = nil err = errors.Errorf("an error occurred during SPDX JSON document parsing: %+v", v) @@ -172,7 +172,7 @@ func decodeSPDX(dt []byte) (s *spdx.Document2_2, err error) { doc, err := jsonloader.Load2_2(bytes.NewReader(dt)) if err != nil { - return nil, errors.Errorf("unable to decode spdx: %w", err) + return nil, errors.Wrap(err, "unable to decode spdx") } return doc, nil } From 30adff429c9543cba157bde9fca1a5468d10095b Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Mon, 15 Aug 2022 00:14:28 +0200 Subject: [PATCH 3/6] golangci-lint and fix lint issues Signed-off-by: CrazyMax --- .golangci.yml | 34 ++++++++++++++++++++++++++++++++++ testutil/env.go | 3 +-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 .golangci.yml diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..4eaf96f --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,34 @@ +run: + timeout: 10m + +linters: + enable: + - gofmt + - govet + - deadcode + - depguard + - goimports + - ineffassign + - misspell + - unused + - varcheck + - revive + - staticcheck + - typecheck + #- structcheck # FIXME: structcheck is disabled because of generics: https://github.com/golangci/golangci-lint/issues/2649 + disable-all: true + +linters-settings: + depguard: + list-type: blacklist + include-go-root: true + packages: + # The io/ioutil package has been deprecated. + # https://go.dev/doc/go1.16#ioutil + - io/ioutil + +issues: + exclude-rules: + - linters: + - revive + text: "stutters" diff --git a/testutil/env.go b/testutil/env.go index 3271416..7f15062 100644 --- a/testutil/env.go +++ b/testutil/env.go @@ -5,7 +5,6 @@ import ( "context" "encoding/json" "io" - "io/ioutil" "sync" "testing" @@ -130,7 +129,7 @@ func (e *Env) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser if !ok { return nil, errors.Errorf("blob %s not found", desc.Digest) } - return ioutil.NopCloser(bytes.NewReader(dt)), nil + return io.NopCloser(bytes.NewReader(dt)), nil } func (e *Env) Pusher(ctx context.Context, ref string) (remotes.Pusher, error) { From 6246990ea78c6f62ac7ecd9a94a922a98aeeb491 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Mon, 15 Aug 2022 00:09:29 +0200 Subject: [PATCH 4/6] add Dockerfile and bake definition Signed-off-by: CrazyMax --- .dockerignore | 1 + .gitignore | 1 + Dockerfile | 78 +++++++++++++++++++++++++++++++++++++++++++++++++ docker-bake.hcl | 46 +++++++++++++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 .dockerignore create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 docker-bake.hcl diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..e660fd9 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +bin/ diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e660fd9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +bin/ diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..9501667 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,78 @@ +# syntax=docker/dockerfile:1 + +ARG GO_VERSION="1.19" +ARG GOLANGCI_LINT_VERSION="v1.48" +ARG ADDLICENSE_VERSION="v1.0.0" + +ARG LICENSE_ARGS="-c go-imageinspect -l apache" +ARG LICENSE_FILES=".*\(Dockerfile\|\.go\|\.hcl\|\.sh\)" + +FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint +FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense + +FROM golang:${GO_VERSION}-alpine AS base +RUN apk add --no-cache cpio findutils git linux-headers +ENV CGO_ENABLED=0 +WORKDIR /src + +FROM base AS build-base +COPY go.* . +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + go mod download + +FROM base AS vendored +RUN --mount=type=bind,target=.,rw \ + --mount=type=cache,target=/go/pkg/mod \ + go mod tidy && mkdir /out && cp go.mod go.sum /out + +FROM scratch AS vendor-update +COPY --from=vendored /out / + +FROM vendored AS vendor-validate +RUN --mount=type=bind,target=.,rw <&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"' + echo "$diff" + exit 1 +fi +EOT + +FROM build-base AS lint +RUN --mount=type=bind,target=. \ + --mount=type=cache,target=/root/.cache \ + --mount=type=cache,target=/go/pkg/mod \ + --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \ + golangci-lint run ./... + +FROM base AS license-set +ARG LICENSE_ARGS +ARG LICENSE_FILES +RUN --mount=type=bind,target=.,rw \ + --mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \ + find . -regex "${LICENSE_FILES}" | xargs addlicense ${LICENSE_ARGS} \ + && mkdir /out \ + && find . -regex "${LICENSE_FILES}" | cpio -pdm /out + +FROM scratch AS license-update +COPY --from=license-set /out / + +FROM base AS license-validate +ARG LICENSE_ARGS +ARG LICENSE_FILES +RUN --mount=type=bind,target=. \ + --mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \ + find . -regex "${LICENSE_FILES}" | xargs addlicense -check ${LICENSE_ARGS} + +FROM build-base AS test +RUN --mount=type=bind,target=. \ + --mount=type=cache,target=/root/.cache \ + --mount=type=cache,target=/go/pkg/mod \ + go test -v -coverprofile=/tmp/coverage.txt -covermode=atomic ./... + +FROM scratch AS test-coverage +COPY --from=test /tmp/coverage.txt /coverage.txt diff --git a/docker-bake.hcl b/docker-bake.hcl new file mode 100644 index 0000000..2d3cf4f --- /dev/null +++ b/docker-bake.hcl @@ -0,0 +1,46 @@ +# Defines the output folder +variable "DESTDIR" { + default = "" +} +function "bindir" { + params = [defaultdir] + result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}" +} + +group "default" { + targets = ["test"] +} + +group "validate" { + targets = ["lint", "vendor-validate", "license-validate"] +} + +target "lint" { + target = "lint" + output = ["type=cacheonly"] +} + +target "vendor-validate" { + target = "vendor-validate" + output = ["type=cacheonly"] +} + +target "vendor-update" { + target = "vendor-update" + output = ["."] +} + +target "test" { + target = "test-coverage" + output = [bindir("coverage")] +} + +target "license-validate" { + target = "license-validate" + output = ["type=cacheonly"] +} + +target "license-update" { + target = "license-update" + output = ["."] +} From 8036e5aad6314668185a68cf56fdeb6fd6faa28d Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Mon, 15 Aug 2022 00:07:28 +0200 Subject: [PATCH 5/6] ci workflow Signed-off-by: CrazyMax --- .github/dependabot.yml | 10 ++++++++ .github/workflows/ci.yml | 52 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/ci.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8d77e58 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + open-pull-requests-limit: 10 + directory: "/" + schedule: + interval: "daily" + labels: + - "dependencies" + - "bot" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..32a196e --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,52 @@ +name: ci + +on: + push: + branches: + - 'main' + tags: + - 'v*' + pull_request: + +env: + DESTDIR: "./bin" + +jobs: + validate: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + target: + - lint + - vendor-validate + - license-validate + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Validate + uses: docker/bake-action@v2 + with: + targets: ${{ matrix.target }} + + test: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Test + uses: docker/bake-action@v2 + with: + targets: test + - + name: Upload coverage + uses: codecov/codecov-action@v3 + with: + file: ${{ env.DESTDIR }}/coverage.txt From 970142d2a2dcdb6f1a7eff908404e1412a3aefe2 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Mon, 15 Aug 2022 00:10:39 +0200 Subject: [PATCH 6/6] set license headers Signed-off-by: CrazyMax --- Dockerfile | 14 ++++++++++++++ buildinfo.go | 14 ++++++++++++++ cmd/imageinspect/main.go | 16 +++++++++++++++- docker-bake.hcl | 14 ++++++++++++++ load.go | 14 ++++++++++++++ load_test.go | 16 +++++++++++++++- provenance.go | 14 ++++++++++++++ sbom.go | 14 ++++++++++++++ testutil/env.go | 14 ++++++++++++++ testutil/image.go | 14 ++++++++++++++ types.go | 14 ++++++++++++++ 11 files changed, 156 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9501667..78e7929 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,19 @@ # syntax=docker/dockerfile:1 +# Copyright 2022 go-imageinspect authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + ARG GO_VERSION="1.19" ARG GOLANGCI_LINT_VERSION="v1.48" ARG ADDLICENSE_VERSION="v1.0.0" diff --git a/buildinfo.go b/buildinfo.go index aa1d286..0878e3f 100644 --- a/buildinfo.go +++ b/buildinfo.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package imageinspect import ( diff --git a/cmd/imageinspect/main.go b/cmd/imageinspect/main.go index 0998871..de43054 100644 --- a/cmd/imageinspect/main.go +++ b/cmd/imageinspect/main.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -7,9 +21,9 @@ import ( "os" "github.com/containerd/containerd/remotes/docker" + "github.com/docker/go-imageinspect" "github.com/moby/buildkit/util/appcontext" "github.com/pkg/errors" - "github.com/docker/go-imageinspect" ) func main() { diff --git a/docker-bake.hcl b/docker-bake.hcl index 2d3cf4f..67bd4e9 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + # Defines the output folder variable "DESTDIR" { default = "" diff --git a/load.go b/load.go index 3f515d5..b103814 100644 --- a/load.go +++ b/load.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package imageinspect import ( diff --git a/load_test.go b/load_test.go index b5ca521..b1bea6a 100644 --- a/load_test.go +++ b/load_test.go @@ -1,12 +1,26 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package imageinspect import ( "context" "testing" + "github.com/docker/go-imageinspect/testutil" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/stretchr/testify/require" - "github.com/docker/go-imageinspect/testutil" ) func TestSingleArchManifest(t *testing.T) { diff --git a/provenance.go b/provenance.go index 7c101e4..4ff5c33 100644 --- a/provenance.go +++ b/provenance.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package imageinspect type Provenance struct { // TODO: this is only a stub, to be refactored later diff --git a/sbom.go b/sbom.go index e7f89a6..a70b261 100644 --- a/sbom.go +++ b/sbom.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package imageinspect import ( diff --git a/testutil/env.go b/testutil/env.go index 7f15062..ee41a4c 100644 --- a/testutil/env.go +++ b/testutil/env.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package testutil import ( diff --git a/testutil/image.go b/testutil/image.go index 5a84395..60177f4 100644 --- a/testutil/image.go +++ b/testutil/image.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package testutil import ( diff --git a/types.go b/types.go index 669e8fb..159b1a1 100644 --- a/types.go +++ b/types.go @@ -1,3 +1,17 @@ +// Copyright 2022 go-imageinspect authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package imageinspect import "github.com/opencontainers/go-digest"