tasks/buildah: respect user configuration for Syft

STONEBLD-2095 Syft makes many things configurable: https://github.com/anchore/syft#configuration For example, users can take advantage of this to get rid of false positives. This will be useful for the Syft build itself: redhat-appstudio/rh-syft#21 Currently, our SBOM generation does not respect the user configuration. Syft reads the config from the current working directory, not from the target directory (anchore/syft#2465). Set the working directory to the root of the user's repository to ensure we respect the configuration. Signed-off-by: Adam Cmiel <[email protected]>
chmeliik · Feb 21, 2024 · ed95b04 · ed95b04
1 parent 6bef754
commit ed95b04
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 0 deletions.
diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -330,6 +330,7 @@ spec:
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
+    workingDir: $(workspaces.source.path)/source
   - computeResources: {}
     image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
     name: analyse-dependencies-java-sbom

diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
@@ -98,6 +98,9 @@ spec:
 
   - name: generate-sboms
     image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
+    # Respect Syft configuration if the user has it in the root of their repository
+    # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
+    workingDir: $(workspaces.source.path)/source
     script: |
       syft dir:$(workspaces.source.path)/source --output [email protected]=/tmp/files/sbom-source.json
       syft oci-dir:/tmp/files/image --output [email protected]=/tmp/files/sbom-image.json

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -238,6 +238,9 @@ spec:
 
   - name: sbom-syft-generate
     image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
+    # Respect Syft configuration if the user has it in the root of their repository
+    # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
+    workingDir: $(workspaces.source.path)/source
     script: |
       syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
       find $(cat /workspace/container_path) -xtype l -delete