Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: update Syft to 0.72.0 and Grype to 0.57.1 #1120

Merged
merged 9 commits into from
Feb 22, 2023
Merged

ci: update Syft to 0.72.0 and Grype to 0.57.1 #1120

merged 9 commits into from
Feb 22, 2023

Conversation

Nirusu
Copy link
Contributor

@Nirusu Nirusu commented Jan 31, 2023

Proposed change(s)

  • Upgrade Syft to 0.69.0
  • Upgrade Grype to 0.56.0

Syft fixed the APK parsing issues in 0.68.1 caused by apko adding empty fields and finally added private key attestation back with 0.69.0. Let's give it a shot, since it should unblock updating the Alpine base images with newer versions of apko again.

Also updating Grype just for the sake of it. It's based on Syft 0.68.1 which should have any parsing issues fixed hopefully. Not the attestation part, but we don't care about that for Grype.

Related issues

Checklist

  • Update docs
  • Add labels (e.g., for changelog category)
  • Link to Milestone

@edgelesssys edgelesssys deleted a comment from netlify bot Jan 31, 2023
@Nirusu
Copy link
Contributor Author

Nirusu commented Jan 31, 2023

syft attest --key cosign.key ghcr.io/edgelesssys/constellation/joinservice:v2.6.0-pre.0.20230131140552-27cae81bd7bc@sha256:cd33aacb5733f6cb7c9d9694a8d6c5337c78e019274ea1d531e25114f86b537b -o cyclonedx-json
2023/01/31 14:14:16 error during command execution: 1 error occurred:
	* unable to attest SBOM: exit status 1

🤦🏻

Back to draft...

@Nirusu Nirusu marked this pull request as draft January 31, 2023 14:16
@Nirusu Nirusu added the no changelog Change won't be listed in release changelog label Jan 31, 2023
@Nirusu Nirusu added the blocked Blocked by an external cause label Feb 3, 2023
@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 3, 2023

0.69.0 / 0.69.1 is still not suitable since it hardcodes custom predicates while we use CycloneDX.

This will be fixed in an upcoming release, so blocked until then.

Personally I am still not super happy with the error messages generated by the new updates (just exit codes when something goes wrong) so I hope this will be fixed in some way, but I guess that's better than being blocked on old apko tooling / Alpine base images since errors should still be somewhat debuggable locally, even though that's of course far from ideal.

@Nirusu Nirusu force-pushed the ref/syft-again branch 5 times, most recently from 3fd15ed to f246c70 Compare February 3, 2023 12:52
@Nirusu Nirusu changed the title ci: update Syft to 0.69.0 and Grype to 0.56.0 ci: update Syft to 0.70.0 and Grype to 0.56.0 Feb 6, 2023
@Nirusu Nirusu removed the blocked Blocked by an external cause label Feb 6, 2023
@Nirusu Nirusu marked this pull request as ready for review February 6, 2023 10:51
@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 6, 2023

Alright, this should be unblocked now. 0.70.0 has all the required fixes.

Only left issue is that, in case it fails, the error messages are not really useful, but it's not super hard to debug this locally.
I hope they fix this, though. Otherwise I can try fixing it myself (since PRs get faster responses than issues ;)), but given they are using a bus for the stdout/stderr output, not really sure what a good fix would look like.

On the other hand, upgrading here means we can unblock upgrading our Alpine base images again since we finally have the fixed APK parser in there :)

@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 7, 2023

(ping @katexochen)

@katexochen
Copy link
Member

we can unblock upgrading our Alpine base images again since we finally have the fixed APK parser in there

To what issue are you referring exactly? And which APK parser do you mean? The package hasher for apk?

@katexochen
Copy link
Member

Ah sorry, you were referring to the apk parser of Syft, right?

@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 7, 2023

Yes.

@katexochen
Copy link
Member

Not sure, but this still seems to fail due to syft? https://github.com/edgelesssys/constellation/actions/runs/4122737823

@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 8, 2023

Good catch, I used another image for testing but for some reason this fails again on another image. No idea why... Will investigate :/

@katexochen
Copy link
Member

Is this issue again blocked by upstream?

@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 21, 2023

It's blocked by the fact that some images seem(ed) to work but others don't - the output does not seem to be valid CycloneDX for some of them. Have not investigated yet why this is.

@Nirusu Nirusu force-pushed the ref/syft-again branch 2 times, most recently from 5de8790 to f61cfb6 Compare February 21, 2023 14:59
@Nirusu Nirusu changed the title ci: update Syft to 0.70.0 and Grype to 0.56.0 ci: update Syft to 0.72.0 and Grype to 0.57.1 Feb 21, 2023
@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 21, 2023

@katexochen
Alright, I just bypassed using "syft attest" and instead call "cosign attest" manually so I can manually specify the predicate type.
This now seems to work, see if you can break it ;)

Copy link
Member

@katexochen katexochen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Nirusu Nirusu merged commit f13f80b into main Feb 22, 2023
@Nirusu Nirusu deleted the ref/syft-again branch February 22, 2023 13:17
@katexochen
Copy link
Member

@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 22, 2023

Yes, on it :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no changelog Change won't be listed in release changelog
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants