search

oracle / macaron

Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks, detect malicious Python packages, or check conformance to frameworks, such as SLSA. Documentation:
https://oracle.github.io/macaron/
Universal Permissive License v1.0
132 stars 22 forks source link

Macaron docker breaks in CI with default entry point #342

Open jgsuess opened 1 year ago

jgsuess commented 1 year ago

Compare L21

Executing "step_script" stage of the job script
00:00
Using docker image sha256:e90e8ba0[18](https://gitlab.com/committed-consulting/mde-devops/macaron-example/-/jobs/4555123889#L18)ae4bbbc6cfcde6518561bce7aa040[19](https://gitlab.com/committed-consulting/mde-devops/macaron-example/-/jobs/4555123889#L19)a05df976b9a28217f64321c for ghcr.io/oracle/macaron:latest with digest ghcr.io/oracle/macaron@sha256:5e1c888e45d14f5b1d396f493b457e88a4385aaf09c39a0edf92754f06b8983c ...
Cannot find the GID and UID of the host machine's user. The output files generated could not be modifiable from the host machine.
Consider providing the GID and UID via the env variables USER_GID and USER_UID respectively.
bash: -c: line 1: syntax error near unexpected token `then'
bash: -c: line 1: `cd /home/macaron && . .venv/bin/activate && sh -c if [ -x /usr/local/bin/bash ]; then'

Seems this is due to a broken expansion of ${MACARON_PARAMS[*]}.

COMMAND="cd /home/macaron && . .venv/bin/activate && ${MACARON_PARAMS[*]}"

It is this issue

And this from the doco:

The runner expects that the image has no entrypoint or that the entrypoint is prepared to start a shell command. (Emphasis me)

The following works in Gitlab ci, but is not pretty. Note that you will need to set the GITHUB_TOKEN in the environment variables of the run.

run_macaron:
    stage: build
    image:
      name: ghcr.io/oracle/macaron:latest
      entrypoint: [""]
    script:
      - /bin/bash /home/macaron/user.sh macaron analyze -rp https://github.com/micronaut-projects/micronaut-core -b 4.0.x -d 82d115b4901d10226552ac67b0a10978cd5bc603
jgsuess commented 1 year ago

Maybe this is a feature request to have a second container with just bash as entry point and variables sourced so macaron analyze -rp https://github.com/micronaut-projects/micronaut-core -b 4.0.x -d 82d115b4901d10226552ac67b0a10978cd5bc603 can be called.

behnazh-w commented 1 year ago

Can you please provide more context on your usecase? If I understand correctly, you are not using the run_macaron.sh script, which is recommended. user.sh is an internal script and is not meant to be used by end users.

jgsuess commented 1 year ago

I am trying to execute Macaron in Gitlab CI. In this scenario, the container is started in K8S by the CI runner. The usual situation is that you are dropped into a shell environment and then execute build commands. This does not work here, as the entrypoint does not start a shell. It means that to use it in this CI environment, you have to disable the entry point first and the call it via bash. Note that this approach to dispatch is used for most CI systems. There is no outer, so run_macaron.sh is not an option.