containers/buildah
1
0
Fork 0
mirror of https://github.com/containers/buildah.git synced 2026-02-05 09:45:38 +01:00
Code Issues Releases Wiki Activity

Builder.sbomScan(): don't break non-root scanners

Browse Source 
Set up permissions on the scanner output directory so that scanners
whose images specify that they be run as non-root users can still write
to it.  The most recent syft image exposed our bug.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit is contained in:
Nalin Dahyabhai
2025-06-10 13:22:20 -04:00
parent d14b4f8dc7
commit 9f35e8a2ac
1 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
scan.go
View File

@@ -52,6 +52,13 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
} }
} }
}() }()
scansSubdir := filepath.Join(scansDir, "scans")
if err = os.Mkdir(scansSubdir, 0o700); err != nil {
return nil, nil, "", err
}
if err = os.Chmod(scansSubdir, 0o777); err != nil {
return nil, nil, "", err
}
// We may be producing sets of outputs using temporary containers, and // We may be producing sets of outputs using temporary containers, and
// there's no need to create more than one container for any one // there's no need to create more than one container for any one
@@ -127,7 +134,7 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
// Our temporary directory, read-write. // Our temporary directory, read-write.
{ {
Type: define.TypeBind, Type: define.TypeBind,
Source: scansDir, Source: scansSubdir,
Destination: scansTargetDir, Destination: scansTargetDir,
Options: []string{"rw", "z"}, Options: []string{"rw", "z"},
}, },
@@ -212,19 +219,19 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
var sbomResult, purlResult string var sbomResult, purlResult string
switch { switch {
case scanSpec.ImageSBOMOutput != "": case scanSpec.ImageSBOMOutput != "":
sbomResult = filepath.Join(scansDir, filepath.Base(scanSpec.ImageSBOMOutput)) sbomResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.ImageSBOMOutput))
case scanSpec.SBOMOutput != "": case scanSpec.SBOMOutput != "":
sbomResult = filepath.Join(scansDir, filepath.Base(scanSpec.SBOMOutput)) sbomResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.SBOMOutput))
default: default:
sbomResult = filepath.Join(scansDir, "sbom-result") sbomResult = filepath.Join(scansSubdir, "sbom-result")
} }
switch { switch {
case scanSpec.ImagePURLOutput != "": case scanSpec.ImagePURLOutput != "":
purlResult = filepath.Join(scansDir, filepath.Base(scanSpec.ImagePURLOutput)) purlResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.ImagePURLOutput))
case scanSpec.PURLOutput != "": case scanSpec.PURLOutput != "":
purlResult = filepath.Join(scansDir, filepath.Base(scanSpec.PURLOutput)) purlResult = filepath.Join(scansSubdir, filepath.Base(scanSpec.PURLOutput))
default: default:
purlResult = filepath.Join(scansDir, "purl-result") purlResult = filepath.Join(scansSubdir, "purl-result")
} }
copyFile := func(destination, source string) error { copyFile := func(destination, source string) error {
dst, err := os.Create(destination) dst, err := os.Create(destination)
@@ -244,7 +251,7 @@ func (b *Builder) sbomScan(ctx context.Context, options CommitOptions) (imageFil
} }
err = func() error { err = func() error {
for i := range resultFiles { for i := range resultFiles {
thisResultFile := filepath.Join(scansDir, filepath.Base(resultFiles[i])) thisResultFile := filepath.Join(scansSubdir, filepath.Base(resultFiles[i]))
switch i { switch i {
case 0: case 0:
// Straight-up copy to create the first version of the final output. // Straight-up copy to create the first version of the final output.