Add grype scan, SBOM and improve labeling (#218)

Signed-off-by: Marikkannu, Suresh <suresh.marikkannu@intel.com>

Author: sureshmarikkannu

.github/dependabot.yml

@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2024 Intel Corporation
 
+# Timeline for each ecosystem is intentionally staggered to spread
+# Dependabot PRs over the week.
 version: 2
 updates:
 
@@ -16,15 +18,15 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "sunday"
+      day: "thursday"
       time: "21:00"
       timezone: "America/Los_Angeles"
 
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: "weekly"
-      day: "sunday"
+      day: "tuesday"
       time: "21:00"
       timezone: "America/Los_Angeles"
     groups:

.github/workflows/push.yml

@@ -59,3 +59,27 @@ jobs:
       release_branch: ${{ needs.tag-github.outputs.release_branch }}
       version_branch: ${{ needs.tag-github.outputs.version_branch }}
     secrets: inherit
+
+  sbom-source:
+    needs: tag-github
+    permissions:
+      contents: read
+      actions: read
+    uses: omec-project/.github/.github/workflows/sbom-source.yml@d2c362a98ad0cb4911ea762e25109f71f2301d9e # v0.0.12
+    with:
+      changed: ${{ needs.tag-github.outputs.changed }}
+      branch_name: ${{ github.ref }}
+      artifact_name: ${{ github.event.repository.name }}-${{ needs.tag-github.outputs.version }}.spdx.json
+      sbom_format: spdx-json
+      path: .
+
+  grype-scan:
+    needs: [tag-github, sbom-source]
+    permissions:
+      contents: read
+      actions: read
+      security-events: write # Required for SARIF upload to Code Scanning
+    uses: omec-project/.github/.github/workflows/grype-scan.yml@d2c362a98ad0cb4911ea762e25109f71f2301d9e # v0.0.12
+    with:
+      changed: ${{ needs.tag-github.outputs.changed }}
+      artifact_name: ${{ github.event.repository.name }}-${{ needs.tag-github.outputs.version }}.spdx.json

Dockerfile

@@ -11,9 +11,23 @@ RUN make all
 
 FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS metricfunc
 
-LABEL maintainer="Aether SD-Core <dev@lists.aetherproject.org>" \
-    description="Aether open source 5G Core Network" \
-    version="Stage 3"
+# Build arguments for dynamic labels
+ARG VERSION=dev
+ARG VCS_URL=unknown
+ARG VCS_REF=unknown
+ARG BUILD_DATE=unknown
+
+LABEL org.opencontainers.image.source="${VCS_URL}" \
+    org.opencontainers.image.version="${VERSION}" \
+    org.opencontainers.image.created="${BUILD_DATE}" \
+    org.opencontainers.image.revision="${VCS_REF}" \
+    org.opencontainers.image.url="${VCS_URL}" \
+    org.opencontainers.image.title="metricfunc" \
+    org.opencontainers.image.description="Aether 5G Core METRICFUNC Network Function" \
+    org.opencontainers.image.authors="Aether SD-Core <dev@lists.aetherproject.org>" \
+    org.opencontainers.image.vendor="Aether Project" \
+    org.opencontainers.image.licenses="Apache-2.0" \
+    org.opencontainers.image.documentation="https://docs.sd-core.aetherproject.org/"
 
 ARG DEBUG_TOOLS
 

Makefile

@@ -2,103 +2,191 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+#
 
 PROJECT_NAME             := metricfunc
-DOCKER_VERSION           ?= $(shell cat ./VERSION)
+VERSION                  ?= $(shell cat ./VERSION 2>/dev/null || echo "dev")
+
+# Extract minimum Go version from go.mod file
+GOLANG_MINIMUM_VERSION   ?= $(shell awk '/^go / {print $$2}' go.mod 2>/dev/null || echo "1.25")
+
+# Number of processors for parallel builds (Linux only)
+NPROCS                   := $(shell nproc)
 
-## Docker related
+## Docker configuration
 DOCKER_REGISTRY          ?=
 DOCKER_REPOSITORY        ?=
-DOCKER_TAG               ?= ${DOCKER_VERSION}
-DOCKER_IMAGENAME         := ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}${PROJECT_NAME}:${DOCKER_TAG}
+DOCKER_TAG               ?= $(VERSION)
+DOCKER_IMAGE_PREFIX      ?= 5gc-
+DOCKER_IMAGENAME         := $(DOCKER_REGISTRY)$(DOCKER_REPOSITORY)$(DOCKER_IMAGE_PREFIX)$(PROJECT_NAME):$(DOCKER_TAG)
 DOCKER_BUILDKIT          ?= 1
-DOCKER_BUILD_ARGS        ?=
-
-## Docker labels. Only set ref and commit date if committed
-DOCKER_LABEL_VCS_URL     ?= $(shell git remote get-url $(shell git remote))
-DOCKER_LABEL_VCS_REF     ?= $(shell git diff-index --quiet HEAD -- && git rev-parse HEAD || echo "unknown")
-DOCKER_LABEL_COMMIT_DATE ?= $(shell git diff-index --quiet HEAD -- && git show -s --format=%cd --date=iso-strict HEAD || echo "unknown" )
+DOCKER_BUILD_ARGS        ?= --build-arg MAKEFLAGS=-j$(NPROCS)
+DOCKER_PULL              ?= --pull
+
+## Docker labels with better error handling
+DOCKER_LABEL_VCS_URL     ?= $(shell git remote get-url origin 2>/dev/null || echo "unknown")
+DOCKER_LABEL_VCS_REF     ?= $(shell \
+	echo "$${GIT_COMMIT:-$${GITHUB_SHA:-$${CI_COMMIT_SHA:-$(shell \
+		if git rev-parse --git-dir > /dev/null 2>&1; then \
+			git rev-parse HEAD 2>/dev/null; \
+		else \
+			echo "unknown"; \
+		fi \
+	)}}}")
 DOCKER_LABEL_BUILD_DATE  ?= $(shell date -u "+%Y-%m-%dT%H:%M:%SZ")
 
-DOCKER_TARGETS           ?= metricfunc
-
-GO_BIN_PATH = bin
-GO_SRC_PATH = ./
-C_BUILD_PATH = build
-ROOT_PATH = $(shell pwd)
+## Build configuration
+BINARY_NAME              := $(PROJECT_NAME)
+GO_PACKAGES              ?= ./...
 
-NF = $(GO_NF)
-GO_NF = metricfunc
+## Directory configuration
+BIN_DIR                  := bin
+COVERAGE_DIR             := .coverage
 
-NF_GO_FILES = $(shell find $(GO_SRC_PATH)/$(%) -name "*.go" ! -name "*_test.go")
+## Go build configuration
+GO_FILES                 := $(shell find . -name "*.go" ! -name "*_test.go" 2>/dev/null)
+GO_FILES_ALL             := $(shell find . -name "*.go" 2>/dev/null)
 
-VERSION = $(shell git describe --tags)
-BUILD_TIME = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
-COMMIT_HASH = $(shell git submodule status | grep $(GO_SRC_PATH)/$(@F) | awk '{print $$(1)}' | cut -c1-8)
-COMMIT_TIME = $(shell cd $(GO_SRC_PATH) && git log --pretty="%ai" -1 | awk '{time=$$(1)"T"$$(2)"Z"; print time}')
+## Tool versions (for reproducible builds)
+GOLANGCI_LINT_VERSION    ?= latest
 
-.PHONY: $(NF) clean docker-build docker-push
+# Default target
+.DEFAULT_GOAL := help
 
-.DEFAULT_GOAL: nfs
+## Help target
+help: ## Show this help message
+	@echo "Available targets:"
+	@awk 'BEGIN {FS = ":.*##"} /^[a-zA-Z_-]+:.*##/ { printf "  %-20s %s\n", $$1, $$2 }' $(MAKEFILE_LIST) | sort
 
-nfs: $(NF)
+## Build targets
+build: $(BIN_DIR)/$(BINARY_NAME) ## Build binary
 
-all: $(NF)
+all: build ## Build binary (alias for compatibility)
 
-$(GO_NF): % : $(GO_BIN_PATH)/%
+$(BIN_DIR)/$(BINARY_NAME): $(GO_FILES) | bin-dir
+	@echo "Building $(BINARY_NAME)..."
+	@CGO_ENABLED=0 go build -o $@ .
 
-$(GO_BIN_PATH)/%: %.go $(NF_GO_FILES)
-# $(@F): The file-within-directory part of the file name of the target.
-	@echo "Start building $(@F)...."
-	cd $(GO_SRC_PATH)/ && \
-	CGO_ENABLED=0 go build -o $(ROOT_PATH)/$@ $(@F).go
+bin-dir: ## Create binary directory
+	@mkdir -p $(BIN_DIR)
 
-vpath %.go $(addprefix $(GO_SRC_PATH)/, $(GO_NF))
-
-clean:
-	rm -rf $(addprefix $(GO_BIN_PATH)/, $(GO_NF))
-	rm -rf $(addprefix $(GO_SRC_PATH)/, $(addsuffix /$(C_BUILD_PATH), $(C_NF)))
-
-docker-build:
+## Docker targets
+docker-build: ## Build Docker image
+	@echo "Building Docker image: $(DOCKER_IMAGENAME)"
 	@go mod vendor
-	for target in $(DOCKER_TARGETS); do \
-		DOCKER_BUILDKIT=$(DOCKER_BUILDKIT) docker build $(DOCKER_BUILD_ARGS) \
-			--target $$target \
-			--tag ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}$$target:${DOCKER_TAG} \
-			--build-arg org_label_schema_version="${DOCKER_VERSION}" \
-			--build-arg org_label_schema_vcs_url="${DOCKER_LABEL_VCS_URL}" \
-			--build-arg org_label_schema_vcs_ref="${DOCKER_LABEL_VCS_REF}" \
-			--build-arg org_label_schema_build_date="${DOCKER_LABEL_BUILD_DATE}" \
-			--build-arg org_opencord_vcs_commit_date="${DOCKER_LABEL_COMMIT_DATE}" \
-			. \
-			|| exit 1; \
-	done
-	rm -rf vendor
-
-docker-push:
-	for target in $(DOCKER_TARGETS); do \
-		docker push ${DOCKER_REGISTRY}${DOCKER_REPOSITORY}$$target:${DOCKER_TAG}; \
-	done
-
-.coverage:
-	rm -rf $(CURDIR)/.coverage
-	mkdir -p $(CURDIR)/.coverage
-
-test: .coverage
-	docker run --rm -v $(CURDIR):/metricfunc -w /metricfunc golang:latest \
+	@DOCKER_BUILDKIT=$(DOCKER_BUILDKIT) docker build $(DOCKER_PULL) $(DOCKER_BUILD_ARGS) \
+		--build-arg VERSION="$(VERSION)" \
+		--build-arg VCS_URL="$(DOCKER_LABEL_VCS_URL)" \
+		--build-arg VCS_REF="$(DOCKER_LABEL_VCS_REF)" \
+		--build-arg BUILD_DATE="$(DOCKER_LABEL_BUILD_DATE)" \
+		--tag $(DOCKER_IMAGENAME) \
+		. \
+		|| exit 1
+	@rm -rf vendor
+
+docker-push: ## Push Docker image to registry
+	@echo "Pushing Docker image: $(DOCKER_IMAGENAME)"
+	@docker push $(DOCKER_IMAGENAME)
+
+docker-clean: ## Remove local Docker image
+	@echo "Cleaning local Docker image..."
+	@docker rmi $(DOCKER_IMAGENAME) 2>/dev/null || true
+
+## Testing targets
+$(COVERAGE_DIR): ## Create coverage directory
+	@mkdir -p $(COVERAGE_DIR)
+
+test: $(COVERAGE_DIR) ## Run unit tests with coverage
+	@echo "Running unit tests..."
+	@docker run --rm \
+		-v $(CURDIR):/$(PROJECT_NAME) \
+		-w /$(PROJECT_NAME) \
+		golang:$(GOLANG_MINIMUM_VERSION) \
 		go test \
 			-race \
 			-failfast \
-			-coverprofile=.coverage/coverage-unit.txt \
+			-coverprofile=$(COVERAGE_DIR)/coverage-unit.txt \
 			-covermode=atomic \
 			-v \
-			./ ./...
-
-fmt:
+			$(GO_PACKAGES)
+
+test-local: $(COVERAGE_DIR) ## Run unit tests locally (without Docker)
+	@echo "Running unit tests locally..."
+	@go test \
+		-race \
+		-failfast \
+		-coverprofile=$(COVERAGE_DIR)/coverage-unit.txt \
+		-covermode=atomic \
+		-v \
+		$(GO_PACKAGES)
+
+## Code quality targets
+fmt: ## Format Go code
+	@echo "Formatting Go code..."
 	@go fmt ./...
 
-golint:
-	@docker run --rm -v $(CURDIR):/app -w /app golangci/golangci-lint:latest golangci-lint run -v --config /app/.golangci.yml
-
-check-reuse:
-	@docker run --rm -v $(CURDIR):/metricfunc -w /metricfunc omecproject/reuse-verify:latest reuse lint
+lint: ## Run linter
+	@echo "Running linter..."
+	@docker run --rm \
+		-v $(CURDIR):/app \
+		-w /app \
+		golangci/golangci-lint:$(GOLANGCI_LINT_VERSION) \
+		golangci-lint run -v --config /app/.golangci.yml
+
+lint-local: ## Run linter locally (without Docker)
+	@echo "Running linter locally..."
+	@golangci-lint run -v --config .golangci.yml
+
+check-reuse: ## Check REUSE compliance
+	@echo "Checking REUSE compliance..."
+	@docker run --rm \
+		-v $(CURDIR):/$(PROJECT_NAME) \
+		-w /$(PROJECT_NAME) \
+		omecproject/reuse-verify:latest \
+		reuse lint
+
+check: fmt lint check-reuse ## Run all code quality checks
+
+## Utility targets
+clean: ## Clean build artifacts
+	@echo "Cleaning build artifacts..."
+	@rm -rf $(BIN_DIR)
+	@rm -rf $(COVERAGE_DIR)
+	@rm -rf vendor
+	@docker system prune -f --filter label=org.opencontainers.image.source="https://github.com/omec-project/$(PROJECT_NAME)" 2>/dev/null || true
+
+print-version: ## Print current version
+	@echo $(VERSION)
+
+env: ## Print environment variables
+	@echo "PROJECT_NAME=$(PROJECT_NAME)"
+	@echo "VERSION=$(VERSION)"
+	@echo "GOLANG_MINIMUM_VERSION=$(GOLANG_MINIMUM_VERSION)"
+	@echo "BINARY_NAME=$(BINARY_NAME)"
+	@echo "DOCKER_REGISTRY=$(DOCKER_REGISTRY)"
+	@echo "DOCKER_REPOSITORY=$(DOCKER_REPOSITORY)"
+	@echo "DOCKER_IMAGE_PREFIX=$(DOCKER_IMAGE_PREFIX)"
+	@echo "DOCKER_TAG=$(DOCKER_TAG)"
+	@echo "DOCKER_IMAGENAME=$(DOCKER_IMAGENAME)"
+	@echo "DOCKER_LABEL_VCS_URL=$(DOCKER_LABEL_VCS_URL)"
+	@echo "DOCKER_LABEL_VCS_REF=$(DOCKER_LABEL_VCS_REF)"
+	@echo "NPROCS=$(NPROCS)"
+
+## Phony targets
+.PHONY: all \
+        bin-dir \
+        build \
+        check \
+        check-reuse \
+        clean \
+        docker-build \
+        docker-clean \
+        docker-push \
+        env \
+        fmt \
+        help \
+        lint \
+        lint-local \
+        print-version \
+        test \
+        test-local

VERSION

@@ -1 +1 @@
-1.7.1-dev
+1.8.0