update buildkit and spdx deps

Signed-off-by: Avi Deitcher <avi@deitcher.net>
milan-zededa · Oct 12, 2023 · 8748b4b · 8748b4b
1 parent 1435cc9
commit 8748b4b
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 122 deletions.
diff --git a/tools/Dockerfile b/tools/Dockerfile
@@ -1,20 +1,21 @@
 # Use an official Golang runtime as a parent image
-FROM golang:1.20.1 as builder
+FROM golang:1.20.10-alpine3.18 as builder
+
+RUN apk --no-cache add make=4.4.1-r1
 
 # Set the working directory to /go/src/app
 WORKDIR /go/src/app
 
 # Copy the current directory contents into the container at /go/src/app
 COPY /dockerfile-add-scanner /go/src/app
 
-# Install any needed dependencies
-RUN go get -d -v ./...
-
 # Compile the application
-RUN GOOS=linux CGO_ENABLED=0 go build -o /bin/dockerfile-add-scanner
+RUN make build OUTDIR=/bin
 
 # Deploy the application binary into a lean image
-FROM scratch
+FROM alpine:3.18
+RUN apk --no-cache add ca-certificates=20230506-r0 \
+  && update-ca-certificates
 
 WORKDIR /bin
 COPY --from=builder /bin/dockerfile-add-scanner /bin/dockerfile-add-scanner

diff --git a/tools/dockerfile-add-scanner/cli/scan.go b/tools/dockerfile-add-scanner/cli/scan.go
@@ -28,9 +28,9 @@ import (
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	log "github.com/sirupsen/logrus"
 	spdxjson "github.com/spdx/tools-golang/json"
-	spdxcommon "github.com/spdx/tools-golang/spdx/common"
-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
-	spdxtv "github.com/spdx/tools-golang/tvsaver"
+	spdxcommon "github.com/spdx/tools-golang/spdx/v2/common"
+	spdx "github.com/spdx/tools-golang/spdx/v2/v2_3"
+	spdxtv "github.com/spdx/tools-golang/tagvalue"
 	"github.com/spf13/cobra"
 	"github.com/ulikunitz/xz"
 )
@@ -81,13 +81,13 @@ func scanCmd() *cobra.Command {
 				if err != nil {
 					return err
 				}
-				return spdxtv.Save2_3(sbom, os.Stdout)
+				return spdxtv.Write(sbom, os.Stdout)
 			case "spdx-json":
 				sbom, err := buildSbom(allUrls, namespace, creator)
 				if err != nil {
 					return err
 				}
-				return spdxjson.Save2_3(sbom, os.Stdout)
+				return spdxjson.Write(sbom, os.Stdout)
 			default:
 				return fmt.Errorf("unknown output format %s", outputFormat)
 			}

diff --git a/tools/dockerfile-add-scanner/go.mod b/tools/dockerfile-add-scanner/go.mod
@@ -6,26 +6,29 @@ require (
 	github.com/go-git/go-git/v5 v5.7.0
 	github.com/google/licensecheck v0.3.1
 	github.com/google/uuid v1.3.0
-	github.com/moby/buildkit v0.11.4
-	github.com/opencontainers/image-spec v1.1.0-rc2
-	github.com/sirupsen/logrus v1.9.0
-	github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f
+	github.com/moby/buildkit v0.13.0-beta1.0.20231011161957-86e25b3ad8c2
+	github.com/opencontainers/image-spec v1.1.0-rc3
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spdx/tools-golang v0.5.1
 	github.com/spf13/cobra v1.6.1
 	github.com/ulikunitz/xz v0.5.11
 )
 
 require (
-	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/containerd/containerd v1.6.18 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/ttrpc v1.1.0 // indirect
-	github.com/containerd/typeurl v1.0.2 // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v23.0.0-rc.1+incompatible // indirect
+	github.com/containerd/containerd v1.7.2 // indirect
+	github.com/containerd/continuity v0.4.1 // indirect
+	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/distribution/reference v0.5.0 // indirect
+	github.com/docker/docker v24.0.0-rc.2.0.20230905130451-032797ea4bcb+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -36,35 +39,42 @@ require (
 	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.15.12 // indirect
+	github.com/klauspost/compress v1.16.3 // indirect
 	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/skeema/knownhosts v1.1.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/tonistiigi/fsutil v0.0.0-20230105215944-fb433841cbfa // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.29.0 // indirect
-	go.opentelemetry.io/otel v1.4.1 // indirect
-	go.opentelemetry.io/otel/trace v1.4.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 // indirect
+	go.opentelemetry.io/otel v1.14.0 // indirect
+	go.opentelemetry.io/otel/metric v0.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.14.0 // indirect
 	golang.org/x/crypto v0.9.0 // indirect
+	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
-	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	golang.org/x/tools v0.7.0 // indirect
+	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/grpc v1.53.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gotest.tools/v3 v3.4.0 // indirect
 )