search

chainguard-dev / terraform-provider-apko

https://registry.terraform.io/providers/chainguard-dev/apko/latest
Mozilla Public License 2.0
14 stars 12 forks source link

We have no way to do what `--vcs` does (by default) for `apko` #71

Open mattmoor opened 1 year ago

mattmoor commented 1 year ago

We would have to pass build.WithVCS(true) IIRC

jonjohnsonjr commented 1 year ago

This seems to cause issues with the generated SBOMs.

Before switching to tf:

{
"name": "github.com/chainguard-images/images",
"SPDXID": "SPDXRef-Package-https-C47C47github.comC47chainguard-imagesC47imagesC64ad94fb0ae70dacf9f14e3818bcb355629a6f39ed",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "ad94fb0ae70dacf9f14e3818bcb355629a6f39ed"
}
],
"description": "Image configuration source",
"downloadLocation": "https://github.com/chainguard-images/images@ad94fb0ae70dacf9f14e3818bcb355629a6f39ed",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "[pkg:github/chainguard-images/images@ad94fb0ae70dacf9f14e3818bcb355629a6f39ed](https://github.com/chainguard-images/images/tree/ad94fb0ae70dacf9f14e3818bcb355629a6f39ed)",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"primaryPackagePurpose": "SOURCE",
"versionInfo": "ad94fb0ae70dacf9f14e3818bcb355629a6f39ed"
}

After:

{
"name": "sha256:2cc6b7501e27c83fc0a743383308120786b15fd097b0a46eec748fd66ca4c589",
"SPDXID": "SPDXRef-Package-sha256-2cc6b7501e27c83fc0a743383308120786b15fd097b0a46eec748fd66ca4c589",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "2cc6b7501e27c83fc0a743383308120786b15fd097b0a46eec748fd66ca4c589"
}
],
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "[pkg:oci/image@sha256:2cc6b7501e27c83fc0a743383308120786b15fd097b0a46eec748fd66ca4c589?arch=arm64&mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson&os=linux](https://explore.ggcr.dev/?image=cgr.dev/chainguard/ko@sha256:2cc6b7501e27c83fc0a743383308120786b15fd097b0a46eec748fd66ca4c589)",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"primaryPackagePurpose": "CONTAINER"
},
{
"name": "",
"SPDXID": "SPDXRef-Package-",
"description": "Image configuration source",
"filesAnalyzed": false,
"primaryPackagePurpose": "SOURCE"
}

We do include the image config as separate attestation now... I wonder if that's sufficient or if we should do something better here? Drop it in apko if we don't have vcs? Or inline the config?