From b59d68f1ca9e2e7415810bed08dd22b7e724c1ad Mon Sep 17 00:00:00 2001
From: Laurent Goderre <laurent.goderre@docker.com>
Date: Tue, 3 Oct 2023 10:22:36 -0400
Subject: [PATCH] Added inline SBOM for binaries downloaded outside package
 manager

---
 .gitignore                        |  1 +
 24/cli/Dockerfile                 | 12 +++++++---
 24/dind-rootless/Dockerfile       |  4 ++++
 24/dind/Dockerfile                |  5 ++++-
 Dockerfile-cli.template           | 37 ++++++++++++++++++++++++++++---
 Dockerfile-dind-rootless.template |  4 ++++
 Dockerfile-dind.template          | 18 ++++++++++++++-
 apply-templates.sh                |  7 ++++++
 versions.json                     |  1 +
 versions.sh                       |  4 ++++
 10 files changed, 85 insertions(+), 8 deletions(-)

diff --git a/.gitignore b/.gitignore
index d548f66de..8d7ef866f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .jq-template.awk
+.template-helper-functions.jq
\ No newline at end of file
diff --git a/24/cli/Dockerfile b/24/cli/Dockerfile
index f02af6dc1..a9fe3f334 100644
--- a/24/cli/Dockerfile
+++ b/24/cli/Dockerfile
@@ -49,7 +49,9 @@ RUN set -eux; \
 	; \
 	rm docker.tgz; \
 	\
-	docker --version
+	docker --version; \
+	\
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"docker-sbom","packages":[{"name":"docker","versionInfo":"24.0.6","SPDXID":"SPDXRef-Package--docker","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/docker@24.0.6?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/docker.spdx.json ;
 
 ENV DOCKER_BUILDX_VERSION 0.11.2
 RUN set -eux; \
@@ -95,7 +97,9 @@ RUN set -eux; \
 	mv -vT 'docker-buildx' "$plugin"; \
 	chmod +x "$plugin"; \
 	\
-	docker buildx version
+	docker buildx version; \
+	\
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"buildx-sbom","packages":[{"name":"buildx","versionInfo":"0.11.2","SPDXID":"SPDXRef-Package--buildx","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/buildx@0.11.2?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/docker-buildx.spdx.json ;
 
 ENV DOCKER_COMPOSE_VERSION 2.22.0
 RUN set -eux; \
@@ -143,7 +147,9 @@ RUN set -eux; \
 	\
 	ln -sv "$plugin" /usr/local/bin/; \
 	docker-compose --version; \
-	docker compose version
+	docker compose version; \
+	\
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"compose-sbom","packages":[{"name":"compose","versionInfo":"2.22.0","SPDXID":"SPDXRef-Package--compose","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/compose@2.22.0?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/docker-compose.spdx.json ;
 
 COPY modprobe.sh /usr/local/bin/modprobe
 COPY docker-entrypoint.sh /usr/local/bin/
diff --git a/24/dind-rootless/Dockerfile b/24/dind-rootless/Dockerfile
index 766214d1f..8f01ce564 100644
--- a/24/dind-rootless/Dockerfile
+++ b/24/dind-rootless/Dockerfile
@@ -44,6 +44,10 @@ RUN set -eux; \
 	; \
 	rm rootless.tgz; \
 	\
+	dockerd --version; \
+	containerd --version; \
+	ctr --version; \
+	runc --version; \
 	rootlesskit --version; \
 	vpnkit --version
 
diff --git a/24/dind/Dockerfile b/24/dind/Dockerfile
index 8733b1481..912f15f95 100644
--- a/24/dind/Dockerfile
+++ b/24/dind/Dockerfile
@@ -71,7 +71,10 @@ RUN set -eux; \
 	dockerd --version; \
 	containerd --version; \
 	ctr --version; \
-	runc --version
+	runc --version; \
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"dockerd-sbom","packages":[{"name":"dockerd","versionInfo":"24.0.6","SPDXID":"SPDXRef-Package--dockerd","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/dockerd@24.0.6?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/dockerd.spdx.json;  \
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"docker-init-sbom","packages":[{"name":"docker-init","versionInfo":"24.0.6","SPDXID":"SPDXRef-Package--docker-init","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/docker-init@24.0.6?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/docker-init.spdx.json;  \
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"docker-proxy-sbom","packages":[{"name":"docker-proxy","versionInfo":"24.0.6","SPDXID":"SPDXRef-Package--docker-proxy","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/docker-proxy@24.0.6?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/docker-proxy.spdx.json;  
 
 # https://github.com/docker/docker/tree/master/hack/dind
 ENV DIND_COMMIT d58df1fc6c866447ce2cd129af10e5b507705624
diff --git a/Dockerfile-cli.template b/Dockerfile-cli.template
index 1ae00e841..683fa353b 100644
--- a/Dockerfile-cli.template
+++ b/Dockerfile-cli.template
@@ -1,5 +1,6 @@
 {{ include "shared" -}}
-FROM alpine:3.18
+{{ include ".template-helper-functions" -}}
+FROM alpine:{{ .alpine }}
 
 RUN apk add --no-cache \
 		ca-certificates \
@@ -34,7 +35,22 @@ RUN set -eux; \
 	; \
 	rm docker.tgz; \
 	\
-	docker --version
+	docker --version; \
+	\
+	echo {{
+		{
+			name: "docker",
+			version: .version,
+			supplier: "Organization: Docker, Inc",
+			params: {
+				os_name: "alpine",
+				os_version: .alpine
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring | @sh
+	}} > /usr/local/docker.spdx.json ;
 {{
 	{
 		buildx: .buildx,
@@ -66,7 +82,22 @@ RUN set -eux; \
 	ln -sv "$plugin" /usr/local/bin/; \
 	docker-{{ $key }} --version; \
 {{ ) else "" end -}}
-	docker {{ $key }} version
+	docker {{ $key }} version; \
+	\
+	echo {{
+		{
+			name: $key,
+			version: .version,
+			supplier: "Organization: Docker, Inc",
+			params: {
+				os_name: "alpine",
+				os_version: "3.18"
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring | @sh
+	}} > /usr/local/docker-{{ $key }}.spdx.json ;
 {{
 		)
 	)
diff --git a/Dockerfile-dind-rootless.template b/Dockerfile-dind-rootless.template
index 3d9c76782..655874af0 100644
--- a/Dockerfile-dind-rootless.template
+++ b/Dockerfile-dind-rootless.template
@@ -35,6 +35,10 @@ RUN set -eux; \
 	; \
 	rm rootless.tgz; \
 	\
+	dockerd --version; \
+	containerd --version; \
+	ctr --version; \
+	runc --version; \
 	rootlesskit --version; \
 	vpnkit --version
 
diff --git a/Dockerfile-dind.template b/Dockerfile-dind.template
index f8b585328..1a89982a4 100644
--- a/Dockerfile-dind.template
+++ b/Dockerfile-dind.template
@@ -1,4 +1,5 @@
 {{ include "shared" -}}
+{{ include ".template-helper-functions" -}}
 FROM docker:{{ env.version }}-cli
 
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
@@ -56,7 +57,22 @@ RUN set -eux; \
 	dockerd --version; \
 	containerd --version; \
 	ctr --version; \
-	runc --version
+	runc --version; \
+{{ .version as $version | ["dockerd", "docker-init", "docker-proxy"] | map( . as $binary | ( -}}
+	echo {{
+		{
+			name: $binary,
+			version: $version,
+			supplier: "Organization: Docker, Inc",
+			params: {
+				os_name: "alpine",
+				os_version: "3.18"
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring | @sh
+	}} > /usr/local/{{ $binary }}.spdx.json;  {{ )) | join("\\\n") }}
 
 # https://github.com/docker/docker/tree/master/hack/dind
 ENV DIND_COMMIT {{ .dindCommit }}
diff --git a/apply-templates.sh b/apply-templates.sh
index f11612fb5..8a34b6f9a 100755
--- a/apply-templates.sh
+++ b/apply-templates.sh
@@ -11,6 +11,13 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then
 	wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk'
 fi
 
+jqf='.template-helper-functions.jq'
+if [ -n "${BASHBREW_SCRIPTS:-}" ]; then
+	jqf="$BASHBREW_SCRIPTS/template-helper-functions.jq"
+elif [ "$BASH_SOURCE" -nt "$jqf" ]; then
+	wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq'
+fi
+
 if [ "$#" -eq 0 ]; then
 	versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)"
 	eval "set -- $versions"
diff --git a/versions.json b/versions.json
index 5a9cf00e3..c016edafb 100644
--- a/versions.json
+++ b/versions.json
@@ -1,5 +1,6 @@
 {
   "24": {
+    "alpine": "3.18",
     "arches": {
       "amd64": {
         "dockerUrl": "https://download.docker.com/linux/static/stable/x86_64/docker-24.0.6.tgz",
diff --git a/versions.sh b/versions.sh
index 44274cd57..597b2186f 100755
--- a/versions.sh
+++ b/versions.sh
@@ -14,6 +14,8 @@ declare -A dockerArches=(
 
 cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
 
+defaultAlpine='3.18'
+
 versions=( "$@" )
 if [ ${#versions[@]} -eq 0 ]; then
 	versions=( */ )
@@ -203,9 +205,11 @@ for version in "${versions[@]}"; do
 	echo "$version: $fullVersion (buildx $buildxVersion, compose $composeVersion)"
 
 	export fullVersion dindLatest
+	export defaultAlpine
 	doc="$(
 		jq -nc --argjson buildx "$buildx" --argjson compose "$compose" '{
 			version: env.fullVersion,
+			alpine: env.defaultAlpine,
 			arches: {},
 			dindCommit: env.dindLatest,
 			buildx: $buildx,