Implement others ways of installation

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

https://google.github.io/osv-scanner/

Apache License 2.0

6.03k stars 337 forks source link

Implement others ways of installation #55

Open jwillker opened 1 year ago

jwillker commented 1 year ago

The project has a high chance of gaining a lot of adoption. To help with adoption, the project could provide other ways to install besides go install or download binaries. This facilitates to use of the osv-scanner in different machines, servers, CI/CD, etc.

My proposal is that the project could have the following:

[x] docker image
[x] brew package
[x] arch linux package
[x] alpine linux
[ ] debian based (.deb)
[ ] red hat based (.rpm)
[x] snap
[x] scoop

All this can be done using the goreleaser. I can help with PRs if these features make sense!

andrewpollock commented 1 year ago

My initial thoughts on curl | bash are coloured by my past history with things like:

and as such, given the space we're operating in, I'd prefer for OSV Scanner to have a very solid supply chain security story.

I totally agree with the spirit of this issue though. As a Debian Developer, I'd like to see it packaged for Debian :-)

another-rex commented 1 year ago

I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.

I think the first step is producing a docker image, which can also be used when making the CI/CD action.

koenhendriks commented 1 year ago

I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.

When trying to scan a directory: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

And when trying to run with --lockfile I get the same: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

Running it from go locally works fine.

jwillker commented 1 year ago

I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.

When trying to scan a directory: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app

returns:
osv-scanner version: dev
commit: n/a
built at: n/a
And when trying to run with --lockfile I get the same: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock

returns:
osv-scanner version: dev
commit: n/a
built at: n/a
Running it from go locally works fine.

@koenhendriks The problem here is you are passing -v to the osv-scanner. I think you want to use docker -v to pass a volume, the order matter.

Maybe you should do: docker run --rm -v ${PWD}:/app koenhendriks/osv-scanner -r /app

jwillker commented 1 year ago

I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.

I think the first step is producing a docker image, which can also be used when making the CI/CD action.

@another-rex I just open a PR to implement a docker image publish feature using Goreleaser https://github.com/google/osv-scanner/pull/63

Can you review and comment the open points please?

jayvdb commented 7 months ago

https://github.com/taiki-e/install-action now supports osv-scanner