Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container image ghcr.io/interlynk-io/sbomqs doesn't run in GitLab CI/CD job #238

Closed
rutger-gerritsen opened this issue May 17, 2024 · 11 comments · Fixed by #239
Closed

Container image ghcr.io/interlynk-io/sbomqs doesn't run in GitLab CI/CD job #238

rutger-gerritsen opened this issue May 17, 2024 · 11 comments · Fixed by #239

Comments

@rutger-gerritsen
Copy link

Container image ghcr.io/interlynk-io/sbomqs doesn't run in GitLab CI/CD job. It doesn't meet the minimal image requirements to run it.

Image requirements
Any image used to run a CI/CD job must have the following applications installed: sh or bash and grep

It would be really nice if sbomqs image container supports this so it can be used in a GitLab CI/CD pipeline.
@riteshnoronha
Copy link
Contributor

Interesting. Let me get that fixed for you, give me a couple of days.

@riteshnoronha riteshnoronha mentioned this issue May 17, 2024
Merged
@riteshnoronha riteshnoronha linked a pull request May 17, 2024 that will close this issue
Add bash and grep to be compatible with gitlab ci/cd #239
Merged
@riteshnoronha
Copy link
Contributor

@rutger-gerritsen a fix is here #239 however i have no way to test it out in gitlab. If you can test it and let me know it works, then i can merge it.

@rutger-gerritsen
Copy link
Author

@rutger-gerritsen a fix is here #239 however i have no way to test it out in gitlab. If you can test it and let me know it works, then i can merge it.

@riteshnoronha the fix didn't work yet in our GitLab. I got it working in our GitLab by changing the following lines in the Dockerfile.

COPY --from=builder /bin/bash /bin/bash
COPY --from=builder /bin/grep /bin/grep

TO

COPY --from=builder /bin/sh /bin/grep /bin/busybox /bin/touch /bin/chmod /bin/mkdir /bin/date /bin/

So sh instead of bash and some additional applications.

@rutger-gerritsen
Copy link
Author

@riteshnoronha my feedback was incomplete. Get sbomqs dtrackScore to work with Let's Encrypt certificates also the certs needs to be copied and tmp. Hereby my working Dockerfile that I use in my GitLab.

FROM golang:1.22.2-alpine AS builder
LABEL org.opencontainers.image.source="https://github.com/interlynk-io/sbomqs"

RUN apk add --no-cache make git
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .

RUN make ; make build

FROM scratch
LABEL org.opencontainers.image.source="https://github.com/interlynk-io/sbomqs"
LABEL org.opencontainers.image.description="Quality metrics for your sboms"
LABEL org.opencontainers.image.licenses=Apache-2.0

COPY --from=builder /bin/sh /bin/grep /bin/busybox /bin/touch /bin/chmod /bin/mkdir /bin/date /bin/cat /bin/
COPY --from=builder /etc/ssl/certs /etc/ssl/certs
COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
COPY --from=builder /tmp /tmp
COPY --from=builder /usr/bin /usr/bin

# Copy our static executable
COPY --from=builder /app/build/sbomqs /app/sbomqs

# Disable version check
ENV INTERLYNK_DISABLE_VERSION_CHECK=true

ENTRYPOINT [ "/app/sbomqs" ]

@riteshnoronha
Copy link
Contributor

Incorporated this here #240

@riteshnoronha
Copy link
Contributor

Ok merged. Do let us know youre use case would love to learn more about it.

@rutger-gerritsen
Copy link
Author

rutger-gerritsen commented May 21, 2024
edited
Loading

@riteshnoronha Thanks for merging the changes :-) Hopefully you can publish it soon on ghcr.io/interlynk-io/sbomqs?

@rutger-gerritsen
Copy link
Author

rutger-gerritsen commented May 21, 2024
edited
Loading

We are generating SBOM's to comply with the Cyber Resilience Act (CRA) from the European Union.
This tool helps us to give us an insight if the SBOM is accurate, complete, and up-to-date after it's generated.
The score determine whether our CI/CD pipeline fails, warns or continues depending on the score. If it's a low score the detailed report is used for further investigation.
Also the score is added to our Dependency Track projects to track the quality and give an insight for our stackholders.

@riteshnoronha
Copy link
Contributor

@rutger-gerritsen yes i will create a release this friday.

This is a great use case. We have recently added compliance reports in sbomqs, we think CRA might eventually adopt BSI TR-03183 for sboms, so one of the first compliance reports we added is TR-03183. We plan to add a couple more compliance reports soon (NTIA minimum/OSS license/SCVS etc).

If ever your org would like to enrich sboms(eol/eos/purl/cpe) or distribute them, do keep us in mind, we are a great solution for it. Here is one way we have helping OSS projects, manage and display their health https://github.com/interlynk-io/sbomqs?tab=readme-ov-file#sbom-card.

As always if u have any feature requests or bugs, do let us know we address them.

@rutger-gerritsen
Copy link
Author

The compliance reports will help us a lot. Looking forward for the release. Thank you and keep up the great work!

@riteshnoronha
Copy link
Contributor

v0.1.4 has been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add bash and grep to be compatible with gitlab ci/cd interlynk-io/sbomqs
2 participants
@riteshnoronha @rutger-gerritsen