Import syft as a library (#2)

Author: wagoodman

.bouncer.yaml

@@ -4,4 +4,19 @@ permit:
   - Apache.*
   - MPL.*
   - ISC
+ignore-packages:
+  # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE
+  - github.com/anchore/packageurl-go
 
+  # from: https://github.com/spdx/tools-golang/blob/main/LICENSE.code
+  # The tools-golang source code is provided and may be used, at your option,
+  # under either:
+  # * Apache License, version 2.0 (Apache-2.0), OR
+  # * GNU General Public License, version 2.0 or later (GPL-2.0-or-later).
+  # (we choose Apache-2.0)
+  - github.com/spdx/tools-golang
+
+  # from: https://github.com/xi2/xz/blob/master/LICENSE
+  # All these files have been put into the public domain.
+  # You can do whatever you want with these files.
+  - github.com/xi2/xz

.gitattributes

@@ -0,0 +1,5 @@
+**/test-fixtures/**/*.jpi filter=lfs diff=lfs merge=lfs -text
+**/test-fixtures/**/*.hpi filter=lfs diff=lfs merge=lfs -text
+**/test-fixtures/**/*.jar filter=lfs diff=lfs merge=lfs -text
+**/test-fixtures/**/*.war filter=lfs diff=lfs merge=lfs -text
+**/test-fixtures/**/*.ear filter=lfs diff=lfs merge=lfs -text

.github/scripts/go-mod-tidy-check.sh

@@ -4,14 +4,14 @@ set -eu
 ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX")
 TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX")
 
-trap "cp -v ${ORIGINAL_STATE_DIR}/* ./ && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
+trap "cp ${ORIGINAL_STATE_DIR}/* ./ && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
 
 echo "Capturing original state of files..."
-cp -v go.mod go.sum "${ORIGINAL_STATE_DIR}"
+cp go.mod go.sum "${ORIGINAL_STATE_DIR}"
 
 echo "Capturing state of go.mod and go.sum after running go mod tidy..."
 go mod tidy
-cp -v go.mod go.sum "${TIDY_STATE_DIR}"
+cp go.mod go.sum "${TIDY_STATE_DIR}"
 echo ""
 
 set +e

.github/scripts/syft-released-version-check.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+
+SYFT_LINE=$(cat go.mod | grep github.com/anchore/syft)
+
+if [ "$(echo $SYFT_LINE | grep  -o '-' | wc -l)" -gt "1" ]; then
+   echo "syft version is not a released version! $SYFT_LINE"
+   exit 1
+else
+  echo 'syft version is a released version!'
+fi

.github/workflows/release.yaml

@@ -61,13 +61,23 @@ jobs:
           checkName: "Acceptance tests (Mac)"
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
+      - name: Check cli test results (linux)
+        uses: fountainhead/action-wait-for-check@v1.0.0
+        id: cli-linux
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
+          checkName: "CLI tests (Linux)"
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
       - name: Quality gate
-        if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
+        if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'  || steps.cli-linux.outputs.conclusion != 'success'
         run: |
           echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
           echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}"
           echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
           echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
+          echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
           false
 
   release:
@@ -109,19 +119,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: anchore/sbom-action@v0
+        continue-on-error: true
         with:
           artifact-name: sbom.spdx.json
 
-# TODO
-#      - uses: 8398a7/action-slack@v3
-#        with:
-#          status: ${{ job.status }}
-#          fields: repo,workflow,action,eventName
-#          text: "A new docker-sbom-cli-plugin release is ready to be manually published: https://github.com/anchore/docker-sbom-cli-plugin/releases"
-#        env:
-#          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
-#        if: ${{ success() }}
-
       - uses: actions/upload-artifact@v2
         with:
           name: artifacts

.github/workflows/validations.yaml

@@ -2,6 +2,8 @@ name: "Validations"
 on:
   workflow_dispatch:
   push:
+    branches:
+      - main
   pull_request:
 
 env:
@@ -43,6 +45,15 @@ jobs:
       - name: Run static analysis
         run: make static-analysis
 
+      # allow for PRs to skip validating the syft version to allow for incremental updates of syft before release.
+      # In this way checks against the main branch (which are required for release) will fail, but PR checks will not
+      - name: Ensure syft version is a release version
+        run: |
+          echo "GitHub reference: ${GITHUB_REF##*/}"
+          git fetch origin main
+          git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && make validate-syft-release-version || echo "skipping syft version check"
+
+
   Unit-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Unit tests"
@@ -174,5 +185,60 @@ jobs:
           brew install docker
           mkdir ~/.docker
 
-      - name: Run install.sh tests (Mac)
-        run: make install-test-ci-mac
+# TODO: put back in after the first release
+#      - name: Run install.sh tests (Mac)
+#        run: make install-test-ci-mac
+
+  Cli-Linux:
+    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
+    name: "CLI tests (Linux)"
+    needs: [Build-Snapshot-Artifacts]
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/checkout@v2
+        with:
+          # this downloads and initializes LFS, but does not pull the objects
+          lfs: true
+          # we need to jump between multiple branches to compare compute a diff, which means we need a deeper clone depth
+          fetch-depth: 0
+
+      - name: Restore go cache
+        id: go-cache
+        uses: actions/cache@v2.1.3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-
+
+      - name: Restore tool cache
+        id: tool-cache
+        uses: actions/cache@v2.1.3
+        with:
+          path: ${{ github.workspace }}/.tmp
+          key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
+
+      - name: (cache-miss) Bootstrap all project dependencies
+        if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
+        run: make bootstrap
+
+      - name: Build key for tar cache
+        run: make cli-fingerprint
+
+      - name: Restore CLI test cache
+        uses: actions/cache@v2.1.3
+        with:
+          path: ${{ github.workspace }}/test/cli/test-fixtures/cache
+          key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: artifacts
+          path: snapshot
+
+      - name: Run CLI Tests (Linux)
+        run: make cli

.gitignore

@@ -7,17 +7,14 @@ CHANGELOG.md
 .history/
 *.fingerprint
 *.tar
-*.jar
-*.war
-*.ear
-*.jpi
-*.hpi
 *.zip
 .idea/
 *.log
 .images
 .tmp/
 coverage.txt
+bin/
+**/test-fixtures/cache/*
 
 # Binaries for programs and plugins
 *.exe

.goreleaser.yaml

@@ -19,10 +19,10 @@ builds:
       -w
       -s
       -extldflags '-static'
-      -X github.com/anchore/docker-sbom-cli-plugin/internal.version={{.Version}}
-      -X github.com/anchore/docker-sbom-cli-plugin/internal.gitCommit={{.Commit}}
-      -X github.com/anchore/docker-sbom-cli-plugin/internal.buildDate={{.Date}}
-      -X github.com/anchore/docker-sbom-cli-plugin/internal.gitDescription={{.Summary}}
+      -X github.com/anchore/docker-sbom-cli-plugin/internal/version.version={{.Version}}
+      -X github.com/anchore/docker-sbom-cli-plugin/internal/version.gitCommit={{.Commit}}
+      -X github.com/anchore/docker-sbom-cli-plugin/internal/version.buildDate={{.Date}}
+      -X github.com/anchore/docker-sbom-cli-plugin/internal/version.gitDescription={{.Summary}}
 
 archives:
   - format: tar.gz

.syft.yaml

@@ -0,0 +1,3 @@
+exclude:
+  - '**/test-fixtures/*'
+  - './.git'

DEVELOPING.md

@@ -0,0 +1,32 @@
+# Developing
+
+## Getting started
+
+In order to test and develop in this repo you will need the following dependencies installed:
+- docker
+- make
+- git-lfs 
+
+After cloning you will need to do the following:
+1. run `git lfs install && git lfs pull` to grab the latest test assets in LFS 
+2. run `make bootstrap` to download go mod dependencies, create the `/.tmp` dir, and download helper utilities.
+3. run `make` to run linting, tests, and other verifications to make certain everything is working alright.
+
+## Running tests
+
+The main make tasks for common static analysis and testing are:
+
+- `static-analysis`: runs the linter and license checks
+- `lint-fix`: let the linter auto-fix as many issues as it can
+- `unit`: plain-ol'e unit tests
+- `cli`: run trait assertions against snapshot builds
+
+Checkout `make help` to see what other actions you can take.
+
+## Testing with Docker
+
+To create a snapshot and install into the local ` ~/.docker/cli-plugins` directory:
+
+```
+make clean-snapshot snapshot install-snapshot
+```