From fdf89ee84bcfdecfc6a29d86f1c7d72d2d1700a2 Mon Sep 17 00:00:00 2001
From: Laurent Goderre <laurent.goderre@docker.com>
Date: Tue, 3 Oct 2023 10:22:36 -0400
Subject: [PATCH] Added inline SBOM for binaries downloaded outside package
 manager

---
 .gitignore              |  1 +
 24/cli/Dockerfile       |  7 ++++++-
 Dockerfile-cli.template | 33 +++++++++++++++++++++++++++++++--
 apply-templates.sh      |  5 +++++
 versions.json           |  1 +
 versions.sh             |  4 ++++
 6 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index d548f66de..04413790f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .jq-template.awk
+template-helper-functions.jq
\ No newline at end of file
diff --git a/24/cli/Dockerfile b/24/cli/Dockerfile
index f02af6dc1..a162a76a1 100644
--- a/24/cli/Dockerfile
+++ b/24/cli/Dockerfile
@@ -4,6 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+
 FROM alpine:3.18
 
 RUN apk add --no-cache \
@@ -49,7 +50,9 @@ RUN set -eux; \
 	; \
 	rm docker.tgz; \
 	\
-	docker --version
+	docker --version; \
+	\
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"docker-sbom","packages":[{"name":"docker","versionInfo":"24.0.6","SPDXID":"SPDXRef-Package--docker","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/docker@24.0.6?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/bin/docker.spdx.json ;
 
 ENV DOCKER_BUILDX_VERSION 0.11.2
 RUN set -eux; \
@@ -143,6 +146,8 @@ RUN set -eux; \
 	\
 	ln -sv "$plugin" /usr/local/bin/; \
 	docker-compose --version; \
+	\
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"docker-compose-sbom","packages":[{"name":"docker-compose","versionInfo":"2.22.0","SPDXID":"SPDXRef-Package--docker-compose","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/docker-compose@2.22.0?os_name=alpine&os_version=3.18"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/bin/docker-compose.spdx.json ; \
 	docker compose version
 
 COPY modprobe.sh /usr/local/bin/modprobe
diff --git a/Dockerfile-cli.template b/Dockerfile-cli.template
index 1ae00e841..a5593e433 100644
--- a/Dockerfile-cli.template
+++ b/Dockerfile-cli.template
@@ -1,5 +1,6 @@
 {{ include "shared" -}}
-FROM alpine:3.18
+{{ include "template-helper-functions" }}
+FROM alpine:{{ .alpine }}
 
 RUN apk add --no-cache \
 		ca-certificates \
@@ -34,7 +35,21 @@ RUN set -eux; \
 	; \
 	rm docker.tgz; \
 	\
-	docker --version
+	docker --version; \
+	\
+	echo '{{
+		{
+			name: "docker",
+			version: .version,
+			params: {
+				os_name: "alpine",
+				os_version: .alpine
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring
+	}}' > /usr/local/bin/docker.spdx.json ;
 {{
 	{
 		buildx: .buildx,
@@ -65,6 +80,20 @@ RUN set -eux; \
 {{ if $key == "compose" then ( -}}
 	ln -sv "$plugin" /usr/local/bin/; \
 	docker-{{ $key }} --version; \
+	\
+	echo '{{
+		{
+			name: ("docker-" + $key),
+			version: .version,
+			params: {
+				os_name: "alpine",
+				os_version: "3.18"
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring
+	}}' > /usr/local/bin/docker-{{ $key }}.spdx.json ; \
 {{ ) else "" end -}}
 	docker {{ $key }} version
 {{
diff --git a/apply-templates.sh b/apply-templates.sh
index f11612fb5..53b89c97d 100755
--- a/apply-templates.sh
+++ b/apply-templates.sh
@@ -11,6 +11,11 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then
 	wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk'
 fi
 
+jqf='template-helper-functions.jq'
+if [ "$BASH_SOURCE" -nt "$jqf" ]; then
+	wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq'
+fi
+
 if [ "$#" -eq 0 ]; then
 	versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)"
 	eval "set -- $versions"
diff --git a/versions.json b/versions.json
index 5a9cf00e3..c016edafb 100644
--- a/versions.json
+++ b/versions.json
@@ -1,5 +1,6 @@
 {
   "24": {
+    "alpine": "3.18",
     "arches": {
       "amd64": {
         "dockerUrl": "https://download.docker.com/linux/static/stable/x86_64/docker-24.0.6.tgz",
diff --git a/versions.sh b/versions.sh
index 44274cd57..597b2186f 100755
--- a/versions.sh
+++ b/versions.sh
@@ -14,6 +14,8 @@ declare -A dockerArches=(
 
 cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
 
+defaultAlpine='3.18'
+
 versions=( "$@" )
 if [ ${#versions[@]} -eq 0 ]; then
 	versions=( */ )
@@ -203,9 +205,11 @@ for version in "${versions[@]}"; do
 	echo "$version: $fullVersion (buildx $buildxVersion, compose $composeVersion)"
 
 	export fullVersion dindLatest
+	export defaultAlpine
 	doc="$(
 		jq -nc --argjson buildx "$buildx" --argjson compose "$compose" '{
 			version: env.fullVersion,
+			alpine: env.defaultAlpine,
 			arches: {},
 			dindCommit: env.dindLatest,
 			buildx: $buildx,