-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: update Syft to 0.72.0 and Grype to 0.57.1 #1120
Conversation
syft attest --key cosign.key ghcr.io/edgelesssys/constellation/joinservice:v2.6.0-pre.0.20230131140552-27cae81bd7bc@sha256:cd33aacb5733f6cb7c9d9694a8d6c5337c78e019274ea1d531e25114f86b537b -o cyclonedx-json
2023/01/31 14:14:16 error during command execution: 1 error occurred:
* unable to attest SBOM: exit status 1 🤦🏻 Back to draft... |
350ccb2
to
e91a34d
Compare
0.69.0 / 0.69.1 is still not suitable since it hardcodes This will be fixed in an upcoming release, so blocked until then. Personally I am still not super happy with the error messages generated by the new updates (just exit codes when something goes wrong) so I hope this will be fixed in some way, but I guess that's better than being blocked on old apko tooling / Alpine base images since errors should still be somewhat debuggable locally, even though that's of course far from ideal. |
3fd15ed
to
f246c70
Compare
Alright, this should be unblocked now. 0.70.0 has all the required fixes. Only left issue is that, in case it fails, the error messages are not really useful, but it's not super hard to debug this locally. On the other hand, upgrading here means we can unblock upgrading our Alpine base images again since we finally have the fixed APK parser in there :) |
(ping @katexochen) |
To what issue are you referring exactly? And which APK parser do you mean? The package hasher for apk? |
Ah sorry, you were referring to the apk parser of Syft, right? |
Yes. |
Not sure, but this still seems to fail due to syft? https://github.com/edgelesssys/constellation/actions/runs/4122737823 |
Good catch, I used another image for testing but for some reason this fails again on another image. No idea why... Will investigate :/ |
Is this issue again blocked by upstream? |
It's blocked by the fact that some images seem(ed) to work but others don't - the output does not seem to be valid CycloneDX for some of them. Have not investigated yet why this is. |
5de8790
to
f61cfb6
Compare
@katexochen |
1528beb
to
a8f4681
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Yes, on it :( |
Proposed change(s)
Syft fixed the APK parsing issues in 0.68.1 caused by apko adding empty fields and finally added private key attestation back with 0.69.0. Let's give it a shot, since it should unblock updating the Alpine base images with newer versions of apko again.
Also updating Grype just for the sake of it. It's based on Syft 0.68.1 which should have any parsing issues fixed hopefully. Not the attestation part, but we don't care about that for Grype.
Related issues
Checklist