From 9f35e8a2ace10cfd48b5f7ea339dcfd7c7cb3f79 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 10 Jun 2025 13:22:20 -0400 Subject: [PATCH] Builder.sbomScan(): don't break non-root scanners Set up permissions on the scanner output directory so that scanners whose images specify that they be run as non-root users can still write to it. The most recent syft image exposed our bug. Signed-off-by: Nalin Dahyabhai --- scan.go | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/scan.go b/scan.go index 0ae88768f..c01baace1 100644 --- a/scan.go +++ b/scan.go @@ -52,6 +52,13 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil } } }() + scansSubdir := filepath.Join(scansDir, "scans") + if err = os.Mkdir(scansSubdir, 0o700); err != nil { + return nil, nil, "", err + } + if err = os.Chmod(scansSubdir, 0o777); err != nil { + return nil, nil, "", err + } // We may be producing sets of outputs using temporary containers, and // there's no need to create more than one container for any one @@ -127,7 +134,7 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil // Our temporary directory, read-write. { Type: define.TypeBind, - Source: scansDir, + Source: scansSubdir, Destination: scansTargetDir, Options: []string{"rw", "z"}, }, @@ -212,19 +219,19 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil var sbomResult, purlResult string switch { case scanSpec.ImageSBOMOutput != "": - sbomResult = filepath.Join(scansDir, filepath.Base(scanSpec.ImageSBOMOutput)) + sbomResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.ImageSBOMOutput)) case scanSpec.SBOMOutput != "": - sbomResult = filepath.Join(scansDir, filepath.Base(scanSpec.SBOMOutput)) + sbomResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.SBOMOutput)) default: - sbomResult = filepath.Join(scansDir, "sbom-result") + sbomResult = filepath.Join(scansSubdir, "sbom-result") } switch { case scanSpec.ImagePURLOutput != "": - purlResult = filepath.Join(scansDir, filepath.Base(scanSpec.ImagePURLOutput)) + purlResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.ImagePURLOutput)) case scanSpec.PURLOutput != "": - purlResult = filepath.Join(scansDir, filepath.Base(scanSpec.PURLOutput)) + purlResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.PURLOutput)) default: - purlResult = filepath.Join(scansDir, "purl-result") + purlResult = filepath.Join(scansSubdir, "purl-result") } copyFile := func(destination, source string) error { dst, err := os.Create(destination) @@ -244,7 +251,7 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil } err = func() error { for i := range resultFiles { - thisResultFile := filepath.Join(scansDir, filepath.Base(resultFiles[i])) + thisResultFile := filepath.Join(scansSubdir, filepath.Base(resultFiles[i])) switch i { case 0: // Straight-up copy to create the first version of the final output.