diff --git a/.github/workflows/chainguard.yml b/.github/workflows/chainguard.yml index 22f3930..a201e6a 100644 --- a/.github/workflows/chainguard.yml +++ b/.github/workflows/chainguard.yml @@ -1,85 +1,102 @@ -name: Build e Distribuição de Pacotes com Melange e APKO - -on: - push: - branches: - - 'main' - jobs: - build: - name: Build e Distribuição de Pacotes - runs-on: ubuntu-20.04 - permissions: - actions: read - contents: read - security-events: write + deploy: + runs-on: ubuntu-latest steps: - - name: Fazer checkout do código - uses: actions/checkout@v3 - - - name: Configurar QEMU - uses: docker/setup-qemu-action@v3 + # Passo 1: Checkout do código + - name: Checkout code + uses: actions/checkout@v3 - - name: Instalar Cosign - uses: sigstore/cosign-installer@v3 + # Passo 2: Configurar Docker Buildx + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 - - name: Configurar Docker Buildx - uses: docker/setup-buildx-action@v3 + # Passo 3: Instalar Melange + - name: Install Melange + run: | + wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz + tar -xzf melange_0.11.2_linux_386.tar.gz + sudo mv melange /usr/local/bin/ + melange version - - name: Fazer login no Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + # Passo 4: Instalar APKO + - name: Install APKO + run: | + wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz + tar -xzf apko_0.14.7_linux_386.tar.gz + sudo mv apko /usr/local/bin/ + apko version - - name: Install Melange - run: | - wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz - tar -xzf melange_0.11.2_linux_386.tar.gz - cd melange_0.11.2_linux_386 - sudo mv melange /usr/local/bin/ - sudo chmod +x /usr/local/bin/melange - melange version + # Passo 5: Gerar chaves com Melange + - name: Generate keys with Melange + run: | + cd chainguard + melange keygen - - name: Install APKO - run: | - wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz - tar -xzf apko_0.14.7_linux_386.tar.gz - cd apko_0.14.7_linux_386 - sudo mv apko /usr/local/bin/ - sudo chmod +x /usr/local/bin/apko - apko version + # Passo 6: Construir pacotes com Melange + - name: Build packages with Melange + run: | + cd chainguard + melange build melange.yaml --runner docker --signing-key melange.rsa --arch amd64 - - name: Gerar chaves com Melange - run: | - cd chainguard - melange keygen + # Passo 7: Construir imagem de container com APKO + - name: Build container image with APKO + run: | + cd chainguard + apko build apko.yaml senhas senhas.tar -k melange.rsa.pub --arch amd64 - - name: Construir pacotes com Melange - run: | - cd chainguard - melange build melange.yaml --runner docker --signing-key melange.rsa --arch amd64 + # Passo 8: Carregar a imagem Docker + - name: Load Docker image + run: | + docker load < senhas.tar + docker images - - name: Construir imagem de container com APKO - run: | - cd chainguard - apko build apko.yaml senhas:v1.0.0 giropops-senhas.tar -k melange.rsa.pub --arch amd64 + # Passo 9: Fazer login no DockerHub + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} - - name: Carregar a imagem Docker - run: | - docker load < chainguard/giropops-senhas.tar + # Passo 10: Gerar nome único para a tag + - name: Gerar nome único para a tag + id: generate-tag + run: | + SHORT_HASH=$(git log -1 --pretty=format:%h | cut -c1-5) + TIMESTAMP=$(date +%Y%m%d%H%M%S) + echo "tag=${SHORT_HASH}-${TIMESTAMP}" >> $GITHUB_ENV + echo "::set-output name=tag::${SHORT_HASH}-${TIMESTAMP}" - - name: Extrair metadados (tags, labels) para Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ secrets.DOCKER_USERNAME }}/giropops-senhas + # Passo 11: Fazer push da imagem Docker + - name: Fazer push da imagem Docker + run: | + docker tag senhas:latest-amd64 ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }} + docker push ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }} - - name: Gerar nome único para a tag - id: generate-tag - run: | - SHORT_HASH=$(git log -1 --pretty=format:%h | cut -c1-5) - TIMESTAMP=$(date +%Y%m%d%H%M%S) - echo "tag=${SHORT_HASH}-${TIMESTAMP}" >> $GITHUB_ENV - echo "::set-output name=tag::${SHORT_HASH}-${TIMESTAMP}" \ No newline at end of file + # Passo 12: Scan de segurança com Trivy + - name: Aqua Security Trivy + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: nataliagranato/linuxtips-giropops-senhas:${{ steps.generate-tag.outputs.tag }} + format: 'sarif' + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + output: 'trivy-results.sarif' + + - name: Fazer upload dos resultados do Trivy para a aba de Segurança do GitHub + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + - name: Assinar imagem com uma chave + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes --key env://COSIGN_PRIVATE_KEY $images + env: + TAGS: ${{ steps.meta.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + DIGEST: ${{ steps..outputs.digest }} \ No newline at end of file diff --git a/chainguard/melange.rsa b/chainguard/melange.rsa new file mode 100644 index 0000000..7feb8f3 --- /dev/null +++ b/chainguard/melange.rsa @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAwq9yCsE5qxsW9LooU7yQ80+APGT6fAz0c+qetKpAbUC42KPw +X2RToCT0vqNOcPdyEaUpF1jJ2DBaxHeLXT5qTqEUjO1tSsx9961lk+PXu4QOwuBj +mwmK9uS53/lgJ7OoPxofXq8qH7IMX/8Br+TvYRspGnZZ0kR+mLhl8J90eHSO43ze +9UbRdUqsTUg7Yyx33qxgkk5e2C+Qdyi0cInb2y3xh5h6IwucMT6iq+dJNBRH8Age +PQNoynC8WTy8Vfro1Rk754ouxPgzFhhHQUe1zIYhSJNzT2PNAmBPOTiqf4o5Pra4 +K+W1uAdHWZp3LP6RxJP+cK04KZHkY3F/zidCP3wCB3Y9DDgnC2zkuA2vOggN//Jd +D2p2pt89aM3UAQCsCi3LT9+amqzKYlMka10tZTiTR3DEUgEGlmwkFhycrDNp5t1E +BcnVEEqQlxeGRqExkhZMBO+QuW9er27Tv2hNw7nM0oAylMVsIcNjxDWuhljuJpw6 +6pdADPTZbODL7NYoAJzv/KoG0uI4idvUz12BJS0Rg00wXdV0oG5NgqLebV2uve/r +ZPq9CkkCyKExa2/xos5JFNrHCHiz8t2Yw2+1YL7og0BvMRguVAqOIyDbK3CxDI/M +/b5Fs15KVhq/drOw95D4XBD2Oy6oCIIplnYZJi4xhgxJCQyEUQ25tN/IKncCAwEA +AQKCAgA8DdKn7qLTXS/fne0Cp5Au/b8Y4i1CRtzBRQZfxITLLsPWT/u98Ty6kavN +gqKXxjyxpLjgMstQnNni8N1UjgRM7PNh5XtpL1tMI3jJ/eZ2OW40PvN6x57OOg/8 +PviiRpEHpg83LeFYlZuroQXsNDqDQdWUDB349pf2lCsd5pIO9iV9lu9PyeCixb4Q +uM9Y8EapsZK4juRC26k8mJnQfTYMjkeLBEXouZQcvK2BSX8TSY5HRLnPKFYS3GO9 +Qzb1bsiTs4z/B2kV6VoY3rRcNrqltFpgANv5CVgb+4l0pT4yyXiPF94H7Hv5oIUp +5rQMdRqSAPTj3QsOB6rj4gcCmKmeUSYZ8iXF4FJjsAEI8sRUkLnqF72fnUHiZpXc +ANeweaE0YGTn/3594AC1d74EXjrPRmr2L5L8ldn9FLdEQFkqx1NjUtY46CQF+SYT +y1rLOdR9eXuzI8aUyMtDnvqhdZgg9BslxpEpzynzMyh+svaEq7ZOVgg5TUiUIyPh +vCIU0xuIUeTetz89v0u16sdwOkeZBGy9fhATDifXxeKyYueybpgC/cZG6jsjqxi5 +T74+KGT7EvzEbEaf4qa9mxWno5CHkWefIhUz1oWUNyA6W3dbp5AJeMRDK/34ddbq +SKeTsXTJ3E0Ip3dJLCW1xkceuSXMn57C4MJRz7t1aKnFA599QQKCAQEA+GdXcAMa +YnVvv2vahJFbQXd2sOrzLOMdI+Td+IOBj22RDuf6cElCjPE8rYMLCLYYdfGzxheA +kutQxxfgrLY2w8Ur9+1Rzx3b5V9JB02k2cciQSvG25BY9enBGgtIyGjjbKwFeoCB +IescHzyXCpz4H/AAPFMx8QOVRCqXPU5slfmIo+GBQHS5bnuErTy2TuCTAZOAN91O +BFW07oVQ3kWx8lUBBZdm6Txs+qhVcWIoibZhcJdWfAK5D/j2SKORgDtEAT5lnrTc +ONyzpRzUl2Et90dHFPrGtVnmQVO8hhRfThszP/paJNb7X9ySM+rS2sAJX0jX2bWZ +euzgInTbklrWzQKCAQEAyKOQNgvZpZHzLPTaCwZ6HW0q6zzu0aqj3N/0nPENDSHu +G9UlXDCn3wfHoSD4PCm7KwyZTsaZMdj7GZiBUfJFnQ0+g8LznsTNtPho5CvIuSKe +qVjQXthArBvtsefC57MnQ1nP8DtxV634z97SDOom9rN2JhPmKtJh3MAyiTQktK3E +Se8ru9ths6TX6tqeJr2AscA96BJQKyUgNPyq297emBjH4mkBM9GvkD9yXtI5zI+z +VeVQ2GWJVwTvy1FZU/hmq3CRMz/hCFRtrwklQjycIgpt8Pj3G4wCwcu+99K/jTCF +MGK+fzgPpN5H22dTDXZrDI+zxoSc05OGv7fCVsqeUwKCAQEA6bhaRdM1nRQ/+4zg +QsF9amCb9aRq/34FqgMqcyxQ2AHQbYUJV2Mm0fQdEmjtFdo3s6mia60rVZFBJMKr +q/WaG6NGVnUd91Fx2CRKUyvUAvBho44sAeSUP3UcMoQRjDdcXKCSWwvT9HUBtcZN +mzfMIkiwABKLN+kWJdgpCw7iDk6GKSQBeAMbgf+H+3PXWOnmh6IgDvAT+vIlVhNr +3mcXIhqm5nro4mTvaPy/v/oKiGBo2AYc4nuxYnzuRbRZL50TxFPQS36CgqHuCVnS +EUjndfXDxNKb6oBWrHq8NC+w6I2hL/4/mNAKHs0rZtv4Xsg3SUcBiR9b9JQx41mu +SstbtQKCAQB6CTKQDQkm8e0NLSjqh9gCygHO71L7aGUe1YF9bAjaMgcYGr8MofOZ +bqv3z4vtXByiBJnDFnzbmvSwDtiptUiuS/34Or3flijgqC90iUUfhnUm4ARti+9a +P+qFyUf9kjSRfLFDl4RLJmAuX4M3o7xrVaDJbFUVOr2Xfbe/SF4DH6ZCqhzZuIhm +sh86lBqZya3bb+i3nVvxwjUixYRPE/IkZP4/Mksu751viYfRMOFDESytVDumQ6wT +p8cKzcIdlvsrz94hY/tGC8RjMJbfAOqeseVJKsVyleifY4QWTLOB9z8rvQPNcZXi +W+ktBF251IssKsPYPZT+A790IRstmzRNAoIBAQDRolwWiFBGSzcgaHrMGLgUvnO4 +n+zZlyoC3dVqv9NJAlXCFVxABC46Arx41hr08DhmVtt2udZ5SpP3A4PNhhgeGFYZ +17rRUOyCUc2JArNKz1ZvVSMMDwH0o7kC1UptvNS2KfOr4VeyfslFKhjO5q1NQ3MH +EpjJ3rPPaw5eQ+qftYnq6qw+fkMf6b6apWsyOVFNYMQQfDgLaQvN36eT3Eesw5O6 +HWXPMgACzXOwvWEHKQoYAu6/ecLTs0cElVlC1FwDI8J1eLWpIg1FuboU35CzOUVq +2NwCN3pKtT71WXvTQnKuftHZ3v1twkDjO+NZVfiQfIDRo8sK29HNmqaqwjFB +-----END RSA PRIVATE KEY----- diff --git a/chainguard/melange.rsa.pub b/chainguard/melange.rsa.pub new file mode 100644 index 0000000..202c5fc --- /dev/null +++ b/chainguard/melange.rsa.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwq9yCsE5qxsW9LooU7yQ +80+APGT6fAz0c+qetKpAbUC42KPwX2RToCT0vqNOcPdyEaUpF1jJ2DBaxHeLXT5q +TqEUjO1tSsx9961lk+PXu4QOwuBjmwmK9uS53/lgJ7OoPxofXq8qH7IMX/8Br+Tv +YRspGnZZ0kR+mLhl8J90eHSO43ze9UbRdUqsTUg7Yyx33qxgkk5e2C+Qdyi0cInb +2y3xh5h6IwucMT6iq+dJNBRH8AgePQNoynC8WTy8Vfro1Rk754ouxPgzFhhHQUe1 +zIYhSJNzT2PNAmBPOTiqf4o5Pra4K+W1uAdHWZp3LP6RxJP+cK04KZHkY3F/zidC +P3wCB3Y9DDgnC2zkuA2vOggN//JdD2p2pt89aM3UAQCsCi3LT9+amqzKYlMka10t +ZTiTR3DEUgEGlmwkFhycrDNp5t1EBcnVEEqQlxeGRqExkhZMBO+QuW9er27Tv2hN +w7nM0oAylMVsIcNjxDWuhljuJpw66pdADPTZbODL7NYoAJzv/KoG0uI4idvUz12B +JS0Rg00wXdV0oG5NgqLebV2uve/rZPq9CkkCyKExa2/xos5JFNrHCHiz8t2Yw2+1 +YL7og0BvMRguVAqOIyDbK3CxDI/M/b5Fs15KVhq/drOw95D4XBD2Oy6oCIIplnYZ +Ji4xhgxJCQyEUQ25tN/IKncCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/chainguard/melange.yaml b/chainguard/melange.yaml index b478cf7..c48f1f0 100755 --- a/chainguard/melange.yaml +++ b/chainguard/melange.yaml @@ -1,6 +1,6 @@ package: - name: giropops-senhas - version: 0.1.0 + name: senhas + version: 1.0.0 description: Um gerador de senhas. copyright: - license: Apache-2.0 diff --git a/chainguard/packages/x86_64/APKINDEX.json b/chainguard/packages/x86_64/APKINDEX.json index 2f3ea08..0e9296c 100644 --- a/chainguard/packages/x86_64/APKINDEX.json +++ b/chainguard/packages/x86_64/APKINDEX.json @@ -11,21 +11,46 @@ "Origin": "giropops-senhas", "Maintainer": "", "URL": "", - "Checksum": "bdy/F1Io2uciWaAJTjxqtPWOtpw=", + "Checksum": "t2GV3n+Sk2R+MgZPTu0uD2AaWEs=", "Dependencies": [ "python3", "so:libc.musl-x86_64.so.1" ], "Provides": null, "InstallIf": null, - "Size": 6163053, - "InstalledSize": 17924625, + "Size": 6163069, + "InstalledSize": 17212997, "ProviderPriority": 0, "BuildTime": "1970-01-01T00:00:00Z", "BuildDate": 0, "RepoCommit": "", "Replaces": null, - "DataHash": "35f42714a763c24a48dba3322c435dd4e749f1ab290b2c0f23e9c52edf1cb28a" + "DataHash": "" + }, + { + "Name": "senhas", + "Version": "1.0.0-r0", + "Arch": "x86_64", + "Description": "Um gerador de senhas.", + "License": "Apache-2.0", + "Origin": "senhas", + "Maintainer": "", + "URL": "", + "Checksum": "TFIwM77H/NrvnJ4eTrAAHtZWRYk=", + "Dependencies": [ + "python3", + "so:libc.musl-x86_64.so.1" + ], + "Provides": null, + "InstallIf": null, + "Size": 6161572, + "InstalledSize": 17207975, + "ProviderPriority": 0, + "BuildTime": "1970-01-01T00:00:00Z", + "BuildDate": 0, + "RepoCommit": "", + "Replaces": null, + "DataHash": "7aad597f0fd83533abf80aca9fb836380577f347e957d61c507db1480e341fd3" } ] } \ No newline at end of file diff --git a/chainguard/packages/x86_64/APKINDEX.tar.gz b/chainguard/packages/x86_64/APKINDEX.tar.gz index 496af34..2806109 100644 Binary files a/chainguard/packages/x86_64/APKINDEX.tar.gz and b/chainguard/packages/x86_64/APKINDEX.tar.gz differ diff --git a/chainguard/packages/x86_64/giropops-senhas-0.1.0-r0.apk b/chainguard/packages/x86_64/giropops-senhas-0.1.0-r0.apk index 987e414..7849ed9 100644 Binary files a/chainguard/packages/x86_64/giropops-senhas-0.1.0-r0.apk and b/chainguard/packages/x86_64/giropops-senhas-0.1.0-r0.apk differ diff --git a/chainguard/packages/x86_64/senhas-1.0.0-r0.apk b/chainguard/packages/x86_64/senhas-1.0.0-r0.apk new file mode 100644 index 0000000..1efb5e6 Binary files /dev/null and b/chainguard/packages/x86_64/senhas-1.0.0-r0.apk differ diff --git a/chainguard/sbom-index.spdx.json b/chainguard/sbom-index.spdx.json new file mode 100644 index 0000000..084fc50 --- /dev/null +++ b/chainguard/sbom-index.spdx.json @@ -0,0 +1,73 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "sbom-sha256:737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2024-08-23T06:08:54Z", + "creators": [ + "Tool: apko (v0.14.7)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.16" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/apko/", + "documentDescribes": [ + "SPDXRef-Package-sha256-737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-sha256-737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060", + "name": "sha256:737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060", + "versionInfo": "sha256:737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060", + "filesAnalyzed": false, + "description": "Multi-arch image index", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: Chainguard, Inc.", + "sourceInfo": "Generated at image build time by apko", + "primaryPackagePurpose": "CONTAINER", + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/senhas@sha256%3A737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060?mediaType=application%2Fvnd.oci.image.index.v1%2Bjson", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-sha256-00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "name": "sha256:00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "versionInfo": "sha256:00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "filesAnalyzed": false, + "downloadLocation": "NOASSERTION", + "supplier": "Organization: Chainguard, Inc.", + "primaryPackagePurpose": "CONTAINER", + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/senhas@sha256%3A00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091?arch=amd64\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux", + "referenceType": "purl" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-sha256-737c813461d72ae410a179a113793d0ef7d202d72ed168f83c77ab863406c060", + "relationshipType": "VARIANT_OF", + "relatedSpdxElement": "SPDXRef-Package-sha256-00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091" + } + ] +} diff --git a/chainguard/sbom-x86_64.spdx.json b/chainguard/sbom-x86_64.spdx.json new file mode 100644 index 0000000..08b2cba --- /dev/null +++ b/chainguard/sbom-x86_64.spdx.json @@ -0,0 +1,590 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "sbom-sha256:70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2024-08-23T06:08:54Z", + "creators": [ + "Tool: apko (v0.14.7)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.16" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/apko/", + "documentDescribes": [ + "SPDXRef-Package-sha256-00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-sha256-00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "name": "sha256:00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "versionInfo": "sha256:00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "filesAnalyzed": false, + "description": "apko container image", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: apko-generated image", + "primaryPackagePurpose": "CONTAINER", + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/senhas@sha256%3A00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091?arch=amd64\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53", + "name": "sha256:70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53", + "versionInfo": "unknown", + "filesAnalyzed": false, + "description": "apko operating system layer", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: apko-generated image", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/senhas@sha256%3A70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53?arch=amd64\u0026mediaType=application%2Fvnd.oci.image.layer.v1.tar%2Bgzip\u0026os=linux", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-alpine-baselayout-data-3.6.6-r0", + "name": "alpine-baselayout-data", + "versionInfo": "3.6.6-r0", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "description": "Alpine base dir structure and init scripts", + "downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "61baeb100d56d097faaaa20e30141e2e8a55db62" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/alpine-baselayout-data@3.6.6-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-musl-1.2.5-r2", + "name": "musl", + "versionInfo": "1.2.5-r2", + "filesAnalyzed": false, + "licenseConcluded": "MIT", + "description": "the musl c library (libc) implementation", + "downloadLocation": "https://musl.libc.org/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "25081c2f8a4fa8d220e5bfcaad736718a30b6222" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/musl@1.2.5-r2?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libcrypto3-3.3.1-r3", + "name": "libcrypto3", + "versionInfo": "3.3.1-r3", + "filesAnalyzed": false, + "licenseConcluded": "Apache-2.0", + "description": "Crypto library from openssl", + "downloadLocation": "https://www.openssl.org/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "f6a1152c1bc6ef22bdbd00edb434597d96c7e4e9" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libcrypto3@3.3.1-r3?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libssl3-3.3.1-r3", + "name": "libssl3", + "versionInfo": "3.3.1-r3", + "filesAnalyzed": false, + "licenseConcluded": "Apache-2.0", + "description": "SSL shared libraries", + "downloadLocation": "https://www.openssl.org/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "5fd18726bc9108e74b0a994e964eda3d36db02a7" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libssl3@3.3.1-r3?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libbz2-1.0.8-r6", + "name": "libbz2", + "versionInfo": "1.0.8-r6", + "filesAnalyzed": false, + "licenseConcluded": "bzip2-1.0.6", + "description": "Shared library for bz2", + "downloadLocation": "https://sourceware.org/bzip2/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "ab2282769fe8e273bc771f2272864c93d6c90dcd" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libbz2@1.0.8-r6?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libexpat-2.6.2-r0", + "name": "libexpat", + "versionInfo": "2.6.2-r0", + "filesAnalyzed": false, + "licenseConcluded": "MIT", + "description": "XML Parser library written in C (libraries)", + "downloadLocation": "https://libexpat.github.io/", + "originator": "Person: Carlo Landmeter \u003cclandmeter@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "4dc7f60c8ec05a403d6073a7503fcd7d32b68230" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libexpat@2.6.2-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libffi-3.4.6-r0", + "name": "libffi", + "versionInfo": "3.4.6-r0", + "filesAnalyzed": false, + "licenseConcluded": "MIT", + "description": "portable, high level programming interface to various calling conventions.", + "downloadLocation": "https://sourceware.org/libffi/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "4a0e7ae23dc8b71698119c9602c3dbe2c30343a5" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libffi@3.4.6-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-gdbm-1.24-r0", + "name": "gdbm", + "versionInfo": "1.24-r0", + "filesAnalyzed": false, + "licenseConcluded": "GPL-3.0-or-later", + "description": "GNU dbm is a set of database routines that use extensible hashing", + "downloadLocation": "https://www.gnu.org/software/gdbm/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "f0e3f6ba0829fe3eec97065ff2c263b607ba86c0" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/gdbm@1.24-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-xz-libs-5.6.2-r0", + "name": "xz-libs", + "versionInfo": "5.6.2-r0", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-or-later AND 0BSD AND Public-Domain AND LGPL-2.1-or-later", + "description": "Library and CLI tools for XZ and LZMA compressed files (libraries)", + "downloadLocation": "https://tukaani.org/xz/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "d72edcab0828d0800fe5c5fb27c596e8a402a6e8" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/xz-libs@5.6.2-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libgcc-14.2.0-r1", + "name": "libgcc", + "versionInfo": "14.2.0-r1", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-or-later AND LGPL-2.1-or-later", + "description": "GNU C compiler runtime libraries", + "downloadLocation": "https://gcc.gnu.org", + "originator": "Person: Ariadne Conill \u003cariadne@dereferenced.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "5dcccd7b29725a930ddc6366f6af8efa0a20a792" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libgcc@14.2.0-r1?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libstdcC43C43-14.2.0-r1", + "name": "libstdc++", + "versionInfo": "14.2.0-r1", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-or-later AND LGPL-2.1-or-later", + "description": "GNU C++ standard runtime library", + "downloadLocation": "https://gcc.gnu.org", + "originator": "Person: Ariadne Conill \u003cariadne@dereferenced.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "8c413425fea4f6ba544946551f5b30528bcd502d" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libstdc%2B%2B@14.2.0-r1?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-mpdecimal-4.0.0-r0", + "name": "mpdecimal", + "versionInfo": "4.0.0-r0", + "filesAnalyzed": false, + "licenseConcluded": "BSD-2-Clause", + "description": "complete implementation of the General Decimal Arithmetic Specification", + "downloadLocation": "https://www.bytereef.org/mpdecimal/index.html", + "originator": "Person: Stefan Stutz \u003cstutz@pm.me\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c308dbfe0e95b65ae7af41380b07ac4721b301d2" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/mpdecimal@4.0.0-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-ncurses-terminfo-base-6.5C95p20240601-r0", + "name": "ncurses-terminfo-base", + "versionInfo": "6.5_p20240601-r0", + "filesAnalyzed": false, + "licenseConcluded": "X11", + "description": "Descriptions of common terminals", + "downloadLocation": "https://invisible-island.net/ncurses/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3e403bc022daf735f70b46b79b8642984425f474" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/ncurses-terminfo-base@6.5_p20240601-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libncursesw-6.5C95p20240601-r0", + "name": "libncursesw", + "versionInfo": "6.5_p20240601-r0", + "filesAnalyzed": false, + "licenseConcluded": "X11", + "description": "Console display library (libncursesw)", + "downloadLocation": "https://invisible-island.net/ncurses/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "61aeadd0a1e68d1869578d7e47beef7c6f9b6971" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libncursesw@6.5_p20240601-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-libpanelw-6.5C95p20240601-r0", + "name": "libpanelw", + "versionInfo": "6.5_p20240601-r0", + "filesAnalyzed": false, + "licenseConcluded": "X11", + "description": "Console display library (libpanelw)", + "downloadLocation": "https://invisible-island.net/ncurses/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c6784e47546a818ba94c1b95b50e4f7120a55bd8" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/libpanelw@6.5_p20240601-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-readline-8.2.13-r0", + "name": "readline", + "versionInfo": "8.2.13-r0", + "filesAnalyzed": false, + "licenseConcluded": "GPL-3.0-or-later", + "description": "GNU readline library", + "downloadLocation": "https://tiswww.cwru.edu/php/chet/readline/rltop.html", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "707fb902c4ba86208e059ab8bf36a147e7559ff6" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/readline@8.2.13-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-sqlite-libs-3.46.1-r0", + "name": "sqlite-libs", + "versionInfo": "3.46.1-r0", + "filesAnalyzed": false, + "licenseConcluded": "blessing", + "description": "C library that implements an SQL database engine (libraries)", + "downloadLocation": "https://www.sqlite.org/", + "originator": "Person: Celeste \u003ccielesti@protonmail.com\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "2e709b7daca82d9aa4a380dad41566aa1b7ae233" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/sqlite-libs@3.46.1-r0?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-zlib-1.3.1-r1", + "name": "zlib", + "versionInfo": "1.3.1-r1", + "filesAnalyzed": false, + "licenseConcluded": "Zlib", + "description": "A compression/decompression Library", + "downloadLocation": "https://zlib.net/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "fbf48ae1933de633f0f21c43e5eae8b5380604d1" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/zlib@1.3.1-r1?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-python3-3.12.5-r1", + "name": "python3", + "versionInfo": "3.12.5-r1", + "filesAnalyzed": false, + "licenseConcluded": "PSF-2.0", + "description": "High-level scripting language", + "downloadLocation": "https://www.python.org/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "eba8323968f0212154ce420e3f54628d5a1fb368" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/python3@3.12.5-r1?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53-python3-pyc-3.12.5-r1", + "name": "python3-pyc", + "versionInfo": "3.12.5-r1", + "filesAnalyzed": false, + "licenseConcluded": "PSF-2.0", + "description": "High-level scripting language (install .pyc cache files)", + "downloadLocation": "https://www.python.org/", + "originator": "Person: Natanael Copa \u003cncopa@alpinelinux.org\u003e", + "supplier": "Organization: apko-generated image", + "sourceInfo": "Package info from apk database", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "82277da220f9f7ba5a9782cc11fc939eb1f57742" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:apk/unknown/python3-pyc@3.12.5-r1?arch=x86_64", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-giropops-senhas-0.1.0-r0", + "name": "giropops-senhas", + "versionInfo": "0.1.0-r0", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "Apache-2.0", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Unknown", + "supplier": "Organization: Unknown", + "copyrightText": "\n", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:apk/unknown/giropops-senhas@0.1.0-r0?arch=x86_64", + "referenceType": "purl" + }, + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:github/tech-preta/linuxtips-pick.git@c2076eadf7ad7f5961668bdae1ee449e76ace65a#chainguard/melange.yaml", + "referenceType": "purl" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-sha256-00e91458dc4e61f0272a6e14bbe87e62fa1a0d101dbbf7244c756d851d0ec091", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-sha256-70d457aeaadf5c909cab6566b64f6044658ea33487f06585c4cdb7fa49dd3c53" + } + ] +} diff --git a/chainguard/senhas.tar b/chainguard/senhas.tar new file mode 100644 index 0000000..3d7bfd6 Binary files /dev/null and b/chainguard/senhas.tar differ