forked from anchore/grype-db
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Makefile
342 lines (258 loc) · 10.7 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
BIN = grype-db
SOURCE_REPO_URL = https://github.com/anchore/grype-db
TEMP_DIR = ./.tmp
RESULTS_DIR = $(TEMP_DIR)/results
DB_ARCHIVE = ./grype-db-cache.tar.gz
GRYPE_DB = go run ./cmd/$(BIN)/main.go -c config/grype-db/publish-nightly.yaml
GRYPE_DB_DATA_IMAGE_NAME = ghcr.io/anchore/$(BIN)/data
date = $(shell date -u +"%y-%m-%d")
# Command templates #################################
LINT_CMD = $(TEMP_DIR)/golangci-lint run --config .golangci.yaml
GOIMPORTS_CMD := $(TEMP_DIR)/gosimports -local github.com/anchore
RELEASE_CMD := $(TEMP_DIR)/goreleaser release --rm-dist
SNAPSHOT_CMD := $(RELEASE_CMD) --skip-publish --skip-sign --snapshot
CHRONICLE_CMD = $(TEMP_DIR)/chronicle
GLOW_CMD = $(TEMP_DIR)/glow
# Tool versions #################################
GOLANGCILINT_VERSION = v1.62.2
GOSIMPORTS_VERSION := v0.3.8
BOUNCER_VERSION = v0.4.0
CHRONICLE_VERSION = v0.8.0
GORELEASER_VERSION = v1.26.2
CRANE_VERSION=v0.16.1
GLOW_VERSION := v1.5.0
# Formatting variables #################################
BOLD := $(shell tput -T linux bold)
PURPLE := $(shell tput -T linux setaf 5)
GREEN := $(shell tput -T linux setaf 2)
CYAN := $(shell tput -T linux setaf 6)
RED := $(shell tput -T linux setaf 1)
RESET := $(shell tput -T linux sgr0)
TITLE := $(BOLD)$(PURPLE)
SUCCESS := $(BOLD)$(GREEN)
# Test variables #################################
# the quality gate lower threshold for unit test total % coverage (by function statements)
COVERAGE_THRESHOLD := 55
RELEASE_CMD=$(TEMP_DIR)/goreleaser release --rm-dist
SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot
DIST_DIR=./dist
CHANGELOG := CHANGELOG.md
SNAPSHOT_DIR=./snapshot
OS := $(shell uname | tr '[:upper:]' '[:lower:]')
SNAPSHOT_BIN := $(abspath $(shell pwd)/$(SNAPSHOT_DIR)/$(OS)-build_$(OS)_amd64_v1/$(BIN))
define safe_rm_rf
bash -c 'test -z "$(1)" && false || rm -rf $(1)'
endef
define safe_rm_rf_children
bash -c 'test -z "$(1)" && false || rm -rf $(1)/*'
endef
ifeq "$(strip $(VERSION))" ""
override VERSION = $(shell git describe --always --tags --dirty)
endif
## Variable assertions
ifndef TEMP_DIR
$(error TEMP_DIR is not set)
endif
ifndef RESULTS_DIR
$(error RESULTS_DIR is not set)
endif
ifndef DIST_DIR
$(error DIST_DIR is not set)
endif
ifndef SNAPSHOT_DIR
$(error SNAPSHOT_DIR is not set)
endif
define title
@printf '$(TITLE)$(1)$(RESET)\n'
endef
.DEFAULT_GOAL := all
.PHONY: all
all: static-analysis test ## Run all checks (linting, license checks, unit, and acceptance tests)
@printf '$(SUCCESS)All checks pass!$(RESET)\n'
.PHONY: static-analysis ## Run all static analysis checks (linting and license checks)
static-analysis: check-go-mod-tidy lint check-licenses
cd manager && poetry run make static-analysis
.PHONY: test
test: unit cli ## Run all tests
cd manager && poetry run make test
## Bootstrapping targets #################################
.PHONY: bootstrap
bootstrap: $(TEMP_DIR) bootstrap-go bootstrap-tools bootstrap-python ## Download and install all tooling dependencies (+ prep tooling in the ./tmp dir)
.PHONY: bootstrap-python
bootstrap-python:
cd manager && make bootstrap
.PHONY: bootstrap-tools
bootstrap-tools: $(TEMP_DIR)
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMP_DIR)/ $(GOLANGCILINT_VERSION)
curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMP_DIR)/ $(BOUNCER_VERSION)
curl -sSfL https://raw.githubusercontent.com/anchore/chronicle/main/install.sh | sh -s -- -b $(TEMP_DIR)/ $(CHRONICLE_VERSION)
.github/scripts/goreleaser-install.sh -b $(TEMP_DIR)/ $(GORELEASER_VERSION)
GOBIN="$(abspath $(TEMP_DIR))" go install github.com/google/go-containerregistry/cmd/crane@$(CRANE_VERSION)
GOBIN="$(realpath $(TEMP_DIR))" go install github.com/charmbracelet/glow@$(GLOW_VERSION)
GOBIN="$(realpath $(TEMP_DIR))" go install github.com/rinchsan/gosimports/cmd/gosimports@$(GOSIMPORTS_VERSION)
.PHONY: bootstrap-go
bootstrap-go:
go mod download
$(TEMP_DIR):
mkdir -p $(TEMP_DIR)
## Static analysis targets #################################
.PHONY: lint
lint: ## Run gofmt + golangci lint checks
$(call title,Running linters)
# ensure there are no go fmt differences
@printf "files with gofmt issues: [$(shell gofmt -l -s .)]\n"
@test -z "$(shell gofmt -l -s .)"
# run all golangci-lint rules
$(LINT_CMD)
@[ -z "$(shell $(GOIMPORTS_CMD) -d .)" ] || (echo "goimports needs to be fixed" && false)
.PHONY: format
format: ## Auto-format all source code
$(call title,Running formatters)
gofmt -w -s .
$(GOIMPORTS_CMD) -w .
go mod tidy
.PHONY: lint-fix
lint-fix: format ## Auto-format all source code + run golangci lint fixers
$(call title,Running lint fixers)
$(LINT_CMD) --fix
check-go-mod-tidy:
@ .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!"
.PHONY: check-licenses
check-licenses:
$(TEMP_DIR)/bouncer check ./cmd/$(BIN)
## Testing targets #################################
.PHONY: unit
unit: ## Run Go unit tests (with coverage)
$(call title,Running Go unit tests)
GOEXPERIMENT=nocoverageredesign go test -coverprofile $(TEMP_DIR)/unit-coverage-details.txt $(shell go list ./... | grep -v anchore/grype-db/test)
@.github/scripts/coverage.py $(COVERAGE_THRESHOLD) $(TEMP_DIR)/unit-coverage-details.txt
.PHONY: unit-python
unit-python: ## Run Python unit tests (with coverage)
$(call title,Running Python unit tests)
cd manager && poetry run make unit
.PHONY: db-acceptance
db-acceptance: ## Run acceptance tests
$(call title,"Running DB acceptance tests (schema=$(schema))")
poetry run ./test/db/acceptance.sh $(schema)
.PHONY: cli
cli: cli-go cli-python ## Run all CLI tests
.PHONY: cli-python
cli-python: ## Run python CLI tests
cd manager && poetry run make cli
.PHONY: cli-go
cli-go: $(SNAPSHOT_DIR) ## Run go CLI tests
chmod 755 "$(SNAPSHOT_BIN)"
$(SNAPSHOT_BIN) version
GRYPE_DB_BINARY_LOCATION='$(SNAPSHOT_BIN)' \
go test -count=1 -timeout=15m -v ./test/cli
## Test-fixture-related targets #################################
.PHONY: update-test-fixtures
update-test-fixtures:
docker run \
--pull always \
--rm \
-it \
anchore/grype:latest \
-q \
-o json \
centos:8.2.2004 > publish/test-fixtures/centos-8.2.2004.json
dos2unix publish/test-fixtures/centos-8.2.2004.json
cd test/acceptance && poetry install && poetry run python grype-ingest.py capture-test-fixtures
## Data management targets #################################
.PHONY: show-providers
show-providers:
@# this is used in CI to generate a job matrix, pulling data for each provider concurrently
@$(GRYPE_DB) list-providers -q -o json
.PHONY: download-provider-cache
download-provider-cache:
$(call title,Downloading and restoring todays "$(provider)" provider data cache)
@bash -c "oras pull $(GRYPE_DB_DATA_IMAGE_NAME)/$(provider):$(date) && $(GRYPE_DB) cache restore --path $(DB_ARCHIVE) || (echo 'no data cache found for today' && exit 1)"
.PHONY: refresh-provider-cache
refresh-provider-cache:
$(call title,Refreshing "$(provider)" provider data cache)
$(GRYPE_DB) pull -v -p $(provider)
.PHONY: upload-provider-cache
upload-provider-cache: ci-check
$(call title,Uploading "$(provider)" existing provider data cache)
@rm -f $(DB_ARCHIVE)
$(GRYPE_DB) cache status -p $(provider)
$(GRYPE_DB) cache backup -v --path $(DB_ARCHIVE) -p $(provider)
oras push -v $(GRYPE_DB_DATA_IMAGE_NAME)/$(provider):$(date) $(DB_ARCHIVE) --annotation org.opencontainers.image.source=$(SOURCE_REPO_URL)
$(TEMP_DIR)/crane tag $(GRYPE_DB_DATA_IMAGE_NAME)/$(provider):$(date) latest
.PHONY: aggregate-all-provider-cache
aggregate-all-provider-cache:
$(call title,Aggregating all of todays provider data cache)
.github/scripts/aggregate-all-provider-cache.py
.PHONY: upload-all-provider-cache
upload-all-provider-cache: ci-check
$(call title,Uploading existing provider data cache)
@rm -f $(DB_ARCHIVE)
$(GRYPE_DB) cache status
$(GRYPE_DB) cache backup -v --path $(DB_ARCHIVE)
oras push -v $(GRYPE_DB_DATA_IMAGE_NAME):$(date) $(DB_ARCHIVE) --annotation org.opencontainers.image.source=$(SOURCE_REPO_URL)
$(TEMP_DIR)/crane tag $(GRYPE_DB_DATA_IMAGE_NAME):$(date) latest
.PHONY: download-all-provider-cache
download-all-provider-cache:
$(call title,Downloading and restoring all of todays provider data cache)
@rm -f $(DB_ARCHIVE)
@bash -c "oras pull $(GRYPE_DB_DATA_IMAGE_NAME):$(date) && $(GRYPE_DB) cache restore --path $(DB_ARCHIVE) || (echo 'no data cache found for today' && exit 1)"
## Code and data generation targets #################################
.PHONY: generate-processor-code
generate-processor-code:
go generate ./pkg/process
make format
## Build-related targets #################################
.PHONY: build
build: $(SNAPSHOT_DIR) ## Build release snapshot binaries and packages
$(SNAPSHOT_DIR): ## Build snapshot release binaries and packages
$(call title,Building snapshot artifacts)
# create a config with the dist dir overridden
echo "dist: $(SNAPSHOT_DIR)" > $(TEMP_DIR)/goreleaser.yaml
cat .goreleaser.yaml >> $(TEMP_DIR)/goreleaser.yaml
# build release snapshots
$(SNAPSHOT_CMD) --config $(TEMP_DIR)/goreleaser.yaml
.PHONY: changelog
changelog: clean-changelog ## Generate and show the changelog for the current unreleased version
$(CHRONICLE_CMD) -vvv -n --version-file VERSION > $(CHANGELOG)
@$(GLOW_CMD) $(CHANGELOG)
$(CHANGELOG):
$(CHRONICLE_CMD) -vvv > $(CHANGELOG)
.PHONY: release
release:
@.github/scripts/trigger-release.sh
.PHONY: release
ci-release: ci-check clean-dist $(CHANGELOG) ## Build and publish final binaries and packages. Intended to be run only on macOS.
$(call title,Publishing release artifacts)
# create a config with the dist dir overridden
echo "dist: $(DIST_DIR)" > $(TEMP_DIR)/goreleaser.yaml
cat .goreleaser.yaml >> $(TEMP_DIR)/goreleaser.yaml
bash -c "$(RELEASE_CMD) --config $(TEMP_DIR)/goreleaser.yaml --release-notes <(cat $(CHANGELOG))"
.PHONY: ci-check
ci-check:
@.github/scripts/ci-check.sh
## Cleanup targets #################################
.PHONY: clean
clean: clean-dist clean-snapshot clean-changelog ## Remove previous builds and result reports
$(call safe_rm_rf_children,$(RESULTS_DIR))
.PHONY: clean-changelog
clean-changelog:
rm -f $(CHANGELOG) VERSION
.PHONY: clear-test-cache
clear-test-cache:
find . -type f -wholename "**/test-fixtures/tar-cache/*.tar" -delete
.PHONY: clean-db
clean-db:
rm -rf build/
rm -f metadata.json listing.json vulnerability-db*.tar.gz vulnerability.db
.PHONY: clean-dist
clean-dist: clean-changelog
$(call safe_rm_rf,$(DIST_DIR))
rm -f $(TEMP_DIR)/goreleaser.yaml
.PHONY: clean-snapshot
clean-snapshot:
$(call safe_rm_rf,$(SNAPSHOT_DIR))
rm -f $(TEMP_DIR)/goreleaser.yaml
## Halp! #################################
.PHONY: help
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}'