From c970ceebe3137932bf1198112510830d19de6cec Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Mon, 18 Nov 2024 13:01:53 -0700 Subject: [PATCH] Adds support for SBOM attestations --- lib/kamal/commands/builder/base.rb | 8 ++++++-- lib/kamal/configuration/builder.rb | 4 ++++ lib/kamal/configuration/docs/builder.yml | 6 ++++++ test/commands/builder_test.rb | 14 ++++++++++++++ test/configuration/builder_test.rb | 10 ++++++++++ 5 files changed, 40 insertions(+), 2 deletions(-) diff --git a/lib/kamal/commands/builder/base.rb b/lib/kamal/commands/builder/base.rb index d551520be..dea04a3a3 100644 --- a/lib/kamal/commands/builder/base.rb +++ b/lib/kamal/commands/builder/base.rb @@ -6,7 +6,7 @@ class BuilderError < StandardError; end delegate :argumentize, to: Kamal::Utils delegate \ :args, :secrets, :dockerfile, :target, :arches, :local_arches, :remote_arches, :remote, - :cache_from, :cache_to, :ssh, :provenance, :driver, :docker_driver?, + :cache_from, :cache_to, :ssh, :provenance, :sbom, :driver, :docker_driver?, to: :builder_config def clean @@ -37,7 +37,7 @@ def inspect_builder end def build_options - [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance ] + [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance, *builder_sbom ] end def build_context @@ -101,6 +101,10 @@ def builder_provenance argumentize "--provenance", provenance unless provenance.nil? end + def builder_sbom + argumentize "--sbom", sbom unless sbom.nil? + end + def builder_config config.builder end diff --git a/lib/kamal/configuration/builder.rb b/lib/kamal/configuration/builder.rb index 4c0dc6039..970c47d18 100644 --- a/lib/kamal/configuration/builder.rb +++ b/lib/kamal/configuration/builder.rb @@ -115,6 +115,10 @@ def provenance builder_config["provenance"] end + def sbom + builder_config["sbom"] + end + def git_clone? Kamal::Git.used? && builder_config["context"].nil? end diff --git a/lib/kamal/configuration/docs/builder.yml b/lib/kamal/configuration/docs/builder.yml index b6e639f3d..230b39eef 100644 --- a/lib/kamal/configuration/docs/builder.yml +++ b/lib/kamal/configuration/docs/builder.yml @@ -108,3 +108,9 @@ builder: # It is used to configure provenance attestations for the build result. # The value can also be a boolean to enable or disable provenance attestations. provenance: mode=max + + # SBOM (Software Bill of Materials) + # + # It is used to configure SBOM generation for the build result. + # The value can also be a boolean to enable or disable SBOM generation. + sbom: true diff --git a/test/commands/builder_test.rb b/test/commands/builder_test.rb index 86b2f5736..85703f546 100644 --- a/test/commands/builder_test.rb +++ b/test/commands/builder_test.rb @@ -158,6 +158,20 @@ class CommandsBuilderTest < ActiveSupport::TestCase builder.push.join(" ") end + test "push with sbom" do + builder = new_builder_command(builder: { "sbom" => true }) + assert_equal \ + "docker buildx build --push --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --sbom true .", + builder.push.join(" ") + end + + test "push with sbom false" do + builder = new_builder_command(builder: { "sbom" => false }) + assert_equal \ + "docker buildx build --push --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --sbom false .", + builder.push.join(" ") + end + test "mirror count" do command = new_builder_command assert_equal "docker info --format '{{index .RegistryConfig.Mirrors 0}}'", command.first_mirror.join(" ") diff --git a/test/configuration/builder_test.rb b/test/configuration/builder_test.rb index 5fef465ae..123878009 100644 --- a/test/configuration/builder_test.rb +++ b/test/configuration/builder_test.rb @@ -144,6 +144,16 @@ class ConfigurationBuilderTest < ActiveSupport::TestCase assert_equal "mode=max", config.builder.provenance end + test "sbom" do + assert_nil config.builder.sbom + end + + test "setting sbom" do + @deploy[:builder]["sbom"] = true + + assert_equal true, config.builder.sbom + end + test "local disabled but no remote set" do @deploy[:builder]["local"] = false