root
/
buildah
mirror of https://github.com/containers/buildah.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #6217 from nalind/sbom-user 

Builder.sbomScan(): don't break non-root scanners
This commit is contained in:
openshift-merge-bot[bot] 2025-06-10 18:15:44 +00:00 committed by GitHub
parent d14b4f8dc7 9f35e8a2ac
commit f46d15d721
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
scan.go
View File

@ -52,6 +52,13 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
} }
} }
}() }()
scansSubdir := filepath.Join(scansDir, "scans")
if err = os.Mkdir(scansSubdir, 0o700); err != nil {
return nil, nil, "", err
}
if err = os.Chmod(scansSubdir, 0o777); err != nil {
return nil, nil, "", err
}
// We may be producing sets of outputs using temporary containers, and // We may be producing sets of outputs using temporary containers, and
// there's no need to create more than one container for any one // there's no need to create more than one container for any one
@ -127,7 +134,7 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
// Our temporary directory, read-write. // Our temporary directory, read-write.
{ {
Type: define.TypeBind, Type: define.TypeBind,
Source: scansDir, Source: scansSubdir,
Destination: scansTargetDir, Destination: scansTargetDir,
Options: []string{"rw", "z"}, Options: []string{"rw", "z"},
}, },
@ -212,19 +219,19 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
var sbomResult, purlResult string var sbomResult, purlResult string
switch { switch {
case scanSpec.ImageSBOMOutput != "": case scanSpec.ImageSBOMOutput != "":
sbomResult = filepath.Join(scansDir, filepath.Base(scanSpec.ImageSBOMOutput)) sbomResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.ImageSBOMOutput))
case scanSpec.SBOMOutput != "": case scanSpec.SBOMOutput != "":
sbomResult = filepath.Join(scansDir, filepath.Base(scanSpec.SBOMOutput)) sbomResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.SBOMOutput))
default: default:
sbomResult = filepath.Join(scansDir, "sbom-result") sbomResult = filepath.Join(scansSubdir, "sbom-result")
} }
switch { switch {
case scanSpec.ImagePURLOutput != "": case scanSpec.ImagePURLOutput != "":
purlResult = filepath.Join(scansDir, filepath.Base(scanSpec.ImagePURLOutput)) purlResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.ImagePURLOutput))
case scanSpec.PURLOutput != "": case scanSpec.PURLOutput != "":
purlResult = filepath.Join(scansDir, filepath.Base(scanSpec.PURLOutput)) purlResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.PURLOutput))
default: default:
purlResult = filepath.Join(scansDir, "purl-result") purlResult = filepath.Join(scansSubdir, "purl-result")
} }
copyFile := func(destination, source string) error { copyFile := func(destination, source string) error {
dst, err := os.Create(destination) dst, err := os.Create(destination)
@ -244,7 +251,7 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
} }
err = func() error { err = func() error {
for i := range resultFiles { for i := range resultFiles {
thisResultFile := filepath.Join(scansDir, filepath.Base(resultFiles[i])) thisResultFile := filepath.Join(scansSubdir, filepath.Base(resultFiles[i]))
switch i { switch i {
case 0: case 0:
// Straight-up copy to create the first version of the final output. // Straight-up copy to create the first version of the final output.