Skip to content

Commit

Permalink
chore: bump buildkit 0.12.0 and trivy 0.43.0 (#221)
Browse files Browse the repository at this point in the history
  • Loading branch information
sozercan authored Jul 26, 2023
1 parent b86106d commit 049b07e
Show file tree
Hide file tree
Showing 8 changed files with 88 additions and 72 deletions.
4 changes: 2 additions & 2 deletions .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ FROM mcr.microsoft.com/vscode/devcontainers/go:0-${VARIANT}
ARG NODE_VERSION="none"

# [Choice] Trivy version: see https://github.com/aquasecurity/trivy/releases. Must be >0.20.0.
ARG TRIVY_VERSION="0.42.0"
ARG TRIVY_VERSION="0.43.1"

# [Choice] Buildkit version: see https://github.com/moby/buildkit/releases. Must be >0.10.3.
ARG BUILDKIT_VERSION="0.11.6"
ARG BUILDKIT_VERSION="0.12.0"

# Optionally install nodejs if specified
RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -132,13 +132,14 @@ jobs:
push: never
env: |
BUILDKIT_PORT=30321
BUILDKIT_VERSION=0.12.0
runCmd: |
set -e
echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description }}"
echo "[INFO]: Scanning image with trivy ..."
trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" --exit-on-eol 1 --ignore-policy trivy_ignore.rego
echo "[INFO]: Start buildkitd in the background ..."
docker run --detach --rm --privileged -p 0.0.0.0:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp --name buildkitd --entrypoint buildkitd "moby/buildkit:v0.11.0" --addr tcp://0.0.0.0:$BUILDKIT_PORT
docker run --detach --rm --privileged -p 0.0.0.0:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp --name buildkitd --entrypoint buildkitd "moby/buildkit:v$BUILDKIT_VERSION" --addr tcp://0.0.0.0:$BUILDKIT_PORT
docker stats buildkitd --no-stream
sudo lsof -nP -iTCP -sTCP:LISTEN
echo "[INFO]: Run copa on target ..."
Expand Down
6 changes: 3 additions & 3 deletions demo/copa-demo.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@ p "Use Trivy to output the number of vulnerabilities in the nginx:1.21.6 contain
pei "trivy image --vuln-type os --ignore-unfixed nginx:1.21.6 | grep Total"

p "Run buildkit in a container locally, we'll need it to run copa"
pei "docker run --detach --rm --privileged -p 127.0.0.1:8888:8888/tcp --name buildkitd --entrypoint buildkitd moby/buildkit:v0.11.4 --addr tcp://0.0.0.0:8888"
pei "docker run --detach --rm --privileged -p 127.0.0.1:8888:8888/tcp --name buildkitd --entrypoint buildkitd moby/buildkit:v0.12.0 --addr tcp://0.0.0.0:8888"

p "Confirm the buildkit container is running"
pei "docker ps"

p "Use copa to patch the nginx:1.21.6 container image outputting the patched container image to nginx:1.21.6-patched"
pei "copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched -a tcp://0.0.0.0:8888"

p "Check that the nginx:1.21.6-patched container image is present locally"
p "Check that the nginx:1.21.6-patched container image is present locally"
pei "docker images"

p "Use Trivy to scan the nginx:1.21.6-patched container image"
Expand All @@ -37,6 +37,6 @@ pei "trivy image --vuln-type os --ignore-unfixed nginx:1.21.6-patched | grep Tot
p "Verify that the patched container image runs"
pei "docker run nginx:1.21.6-patched"

p "Learn more about Copa at - https://github.com/project-copacetic/copacetic"
p "Learn more about Copa at - https://github.com/project-copacetic/copacetic"


2 changes: 1 addition & 1 deletion docs/tutorials/patch.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ This sample illustrates how to [patch containers using vulnerability reports](..
Alternatively, you can run `buildkitd` in a container, which allows copa to be run without root access to the local buildkit socket:

```bash
export BUILDKIT_VERSION=v0.11.4
export BUILDKIT_VERSION=v0.12.0
export BUILDKIT_PORT=8888
docker run \
--detach \
Expand Down
39 changes: 22 additions & 17 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@ go 1.20
require (
github.com/Masterminds/semver/v3 v3.2.1
github.com/antchfx/xmlquery v1.3.17
github.com/aquasecurity/trivy v0.32.1
github.com/aquasecurity/trivy v0.43.1
github.com/containerd/console v1.0.3
github.com/containerd/containerd v1.7.2
github.com/distribution/distribution v2.8.2+incompatible
github.com/docker/cli v23.0.6+incompatible
github.com/docker/cli v24.0.2+incompatible
github.com/google/go-containerregistry v0.15.2
github.com/hashicorp/go-multierror v1.1.1
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
github.com/moby/buildkit v0.11.6
github.com/moby/buildkit v0.12.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc4
github.com/sirupsen/logrus v1.9.3
Expand All @@ -28,20 +28,19 @@ require (
require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/antchfx/xpath v1.2.4 // indirect
github.com/aquasecurity/trivy-db v0.0.0-20230116084806-4bcdf1c414d0 // indirect
github.com/caarlos0/env/v6 v6.10.1 // indirect
github.com/aquasecurity/trivy-db v0.0.0-20230703082116-dc52e83376ce // indirect
github.com/containerd/continuity v0.4.1 // indirect
github.com/containerd/ttrpc v1.2.2 // indirect
github.com/containerd/typeurl v1.0.2 // indirect
github.com/containerd/typeurl/v2 v2.1.1 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/docker/distribution v2.8.2+incompatible // indirect
github.com/docker/docker v23.0.5+incompatible // indirect
github.com/docker/docker v24.0.0-rc.2.0.20230706181717-98d3da79ef9c+incompatible // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-logr/logr v1.2.4 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/gofrs/flock v0.8.1 // indirect
github.com/gogo/googleapis v1.4.1 // indirect
Expand All @@ -51,9 +50,10 @@ require (
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/in-toto/in-toto-golang v0.9.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/klauspost/compress v1.16.5 // indirect
github.com/magiconair/properties v1.8.7 // indirect
Expand All @@ -65,32 +65,37 @@ require (
github.com/pelletier/go-toml/v2 v2.0.8 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/samber/lo v1.38.1 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.6.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/spdx/tools-golang v0.5.1 // indirect
github.com/spf13/afero v1.9.5 // indirect
github.com/spf13/cast v1.5.1 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/subosito/gotenv v1.4.2 // indirect
github.com/tonistiigi/fsutil v0.0.0-20230105215944-fb433841cbfa // indirect
github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb // indirect
github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f // indirect
github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 // indirect
go.opentelemetry.io/otel v1.14.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 // indirect
go.opentelemetry.io/otel/metric v0.37.0 // indirect
go.opentelemetry.io/otel/sdk v1.14.0 // indirect
go.opentelemetry.io/otel/trace v1.14.0 // indirect
go.opentelemetry.io/proto/otlp v0.19.0 // indirect
golang.org/x/crypto v0.9.0 // indirect
golang.org/x/mod v0.10.0 // indirect
golang.org/x/net v0.10.0 // indirect
golang.org/x/sys v0.8.0 // indirect
golang.org/x/text v0.9.0 // indirect
golang.org/x/crypto v0.10.0 // indirect
golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
golang.org/x/mod v0.11.0 // indirect
golang.org/x/net v0.11.0 // indirect
golang.org/x/sys v0.9.0 // indirect
golang.org/x/text v0.10.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.9.1 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
google.golang.org/grpc v1.55.0 // indirect
google.golang.org/protobuf v1.30.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
Loading

0 comments on commit 049b07e

Please sign in to comment.