Merge pull request #2786 from yankay/support-build-attest

AkihiroSuda · web-flow · commit ba0d1a9c8944 · 2024-02-04T22:42:04.000+09:00
Support `nerdctl build` args: `--attest`,` --sbom`,`--provenance`
diff --git a/cmd/nerdctl/builder_build.go b/cmd/nerdctl/builder_build.go
@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
@@ -50,13 +51,16 @@ If Dockerfile is not present and -f is not specified, it will look for Container
 	buildCommand.Flags().Bool("no-cache", false, "Do not use cache when building the image")
 	buildCommand.Flags().StringP("output", "o", "", "Output destination (format: type=local,dest=path)")
 	buildCommand.Flags().String("progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
+	buildCommand.Flags().String("provenance", "", "Shorthand for \"--attest=type=provenance\"")
 	buildCommand.Flags().StringArray("secret", nil, "Secret file to expose to the build: id=mysecret,src=/local/secret")
 	buildCommand.Flags().StringArray("allow", nil, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
 	buildCommand.RegisterFlagCompletionFunc("allow", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"network.host", "security.insecure"}, cobra.ShellCompDirectiveNoFileComp
 	})
+	buildCommand.Flags().StringArray("attest", nil, "Attestation parameters (format: \"type=sbom,generator=image\")")
 	buildCommand.Flags().StringArray("ssh", nil, "SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])")
 	buildCommand.Flags().BoolP("quiet", "q", false, "Suppress the build output and print image ID on success")
+	buildCommand.Flags().String("sbom", "", "Shorthand for \"--attest=type=sbom\"")
 	buildCommand.Flags().StringArray("cache-from", nil, "External cache sources (eg. user/app:cache, type=local,src=path/to/dir)")
 	buildCommand.Flags().StringArray("cache-to", nil, "Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)")
 	buildCommand.Flags().Bool("rm", true, "Remove intermediate containers after a successful build")
@@ -165,6 +169,26 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 	if err != nil {
 		return types.BuilderBuildOptions{}, err
 	}
+
+	attest, err := cmd.Flags().GetStringArray("attest")
+	if err != nil {
+		return types.BuilderBuildOptions{}, err
+	}
+	sbom, err := cmd.Flags().GetString("sbom")
+	if err != nil {
+		return types.BuilderBuildOptions{}, err
+	}
+	if sbom != "" {
+		attest = append(attest, canonicalizeAttest("sbom", sbom))
+	}
+	provenance, err := cmd.Flags().GetString("provenance")
+	if err != nil {
+		return types.BuilderBuildOptions{}, err
+	}
+	if provenance != "" {
+		attest = append(attest, canonicalizeAttest("provenance", provenance))
+	}
+
 	return types.BuilderBuildOptions{
 		GOptions:     globalOptions,
 		BuildKitHost: buildKitHost,
@@ -179,6 +203,7 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 		NoCache:      noCache,
 		Secret:       secret,
 		Allow:        allow,
+		Attest:       attest,
 		SSH:          ssh,
 		CacheFrom:    cacheFrom,
 		CacheTo:      cacheTo,
@@ -222,3 +247,14 @@ func buildAction(cmd *cobra.Command, args []string) error {
 
 	return builder.Build(ctx, client, options)
 }
+
+// canonicalizeAttest is from https://github.com/docker/buildx/blob/v0.12/util/buildflags/attests.go##L13-L21
+func canonicalizeAttest(attestType string, in string) string {
+	if in == "" {
+		return ""
+	}
+	if b, err := strconv.ParseBool(in); err == nil {
+		return fmt.Sprintf("type=%s,disabled=%t", attestType, !b)
+	}
+	return fmt.Sprintf("type=%s,%s", attestType, in)
+}
diff --git a/cmd/nerdctl/builder_build_test.go b/cmd/nerdctl/builder_build_test.go
@@ -498,3 +498,60 @@ func TestBuildNetworkShellCompletion(t *testing.T) {
 	networkName := "default"
 	base.Cmd(gsc, "build", "--network", "").AssertOutContains(networkName)
 }
+
+func buildWithNamedBuilder(base *testutil.Base, builderName string, args ...string) *testutil.Cmd {
+	buildArgs := []string{"build"}
+	if testutil.GetTarget() == testutil.Docker {
+		buildArgs = append(buildArgs, "--builder", builderName)
+	}
+	buildArgs = append(buildArgs, args...)
+	return base.Cmd(buildArgs...)
+}
+
+func TestBuildAttestation(t *testing.T) {
+	t.Parallel()
+	testutil.RequiresBuild(t)
+	base := testutil.NewBase(t)
+	builderName := testutil.Identifier(t)
+	if testutil.GetTarget() == testutil.Docker {
+		// create named builder for docker
+		defer base.Cmd("buildx", "rm", builderName).AssertOK()
+		base.Cmd("buildx", "create", "--name", builderName, "--bootstrap", "--use").AssertOK()
+	}
+	defer base.Cmd("builder", "prune").Run()
+
+	dockerfile := "FROM " + testutil.NginxAlpineImage
+	buildCtx, err := createBuildContext(dockerfile)
+	assert.NilError(t, err)
+	defer os.RemoveAll(buildCtx)
+
+	// Test sbom
+	outputSBOMDir := t.TempDir()
+	buildWithNamedBuilder(base, builderName, "--sbom=true", "-o", fmt.Sprintf("type=local,dest=%s", outputSBOMDir), buildCtx).AssertOK()
+	const testSBOMFileName = "sbom.spdx.json"
+	testSBOMFilePath := filepath.Join(outputSBOMDir, testSBOMFileName)
+	if _, err := os.Stat(testSBOMFilePath); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test provenance
+	outputProvenanceDir := t.TempDir()
+	buildWithNamedBuilder(base, builderName, "--provenance=mode=min", "-o", fmt.Sprintf("type=local,dest=%s", outputProvenanceDir), buildCtx).AssertOK()
+	const testProvenanceFileName = "provenance.json"
+	testProvenanceFilePath := filepath.Join(outputProvenanceDir, testProvenanceFileName)
+	if _, err := os.Stat(testProvenanceFilePath); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test attestation
+	outputAttestationDir := t.TempDir()
+	buildWithNamedBuilder(base, builderName, "--attest=type=provenance,mode=min", "--attest=type=sbom", "-o", fmt.Sprintf("type=local,dest=%s", outputAttestationDir), buildCtx).AssertOK()
+	testSBOMFilePath = filepath.Join(outputAttestationDir, testSBOMFileName)
+	testProvenanceFilePath = filepath.Join(outputAttestationDir, testProvenanceFileName)
+	if _, err := os.Stat(testSBOMFilePath); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := os.Stat(testProvenanceFilePath); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/docs/command-reference.md b/docs/command-reference.md
@@ -680,10 +680,13 @@ Flags:
   - :whale: `type=tar[,dest=path/to/output.tar]`: Raw tar ball
   - :whale: `type=image,name=example.com/image,push=true`: Push to a registry (see [`buildctl build`](https://github.com/moby/buildkit/tree/v0.9.0#imageregistry) documentation)
 - :whale: `--progress=(auto|plain|tty)`: Set type of progress output (auto, plain, tty). Use plain to show container output
+- :whale: `--provenance`: Shorthand for \"--attest=type=provenance\", see [`buildx_build.md`](https://github.com/docker/buildx/blob/v0.12.1/docs/reference/buildx_build.md#provenance) documentation
 - :whale: `--secret`: Secret file to expose to the build: id=mysecret,src=/local/secret
 - :whale: `--allow`: Allow extra privileged entitlement, e.g. network.host, security.insecure  (It’s required to configure the buildkitd to enable the feature, see [`buildkitd.toml`](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md) documentation)
+- :whale: `--attest`: Attestation parameters (format: "type=sbom,generator=image"), see [`buildx_build.md`](https://github.com/docker/buildx/blob/v0.12.1/docs/reference/buildx_build.md#attest) documentation
 - :whale: `--ssh`: SSH agent socket or keys to expose to the build (format: `default|<id>[=<socket>|<key>[,<key>]]`)
 - :whale: `-q, --quiet`: Suppress the build output and print image ID on success
+- :whale: `--sbom`: Shorthand for \"--attest=type=sbom\", see [`buildx_build.md`](https://github.com/docker/buildx/blob/v0.12.1/docs/reference/buildx_build.md#sbom) documentation
 - :whale: `--cache-from=CACHE`: External cache sources (eg. user/app:cache, type=local,src=path/to/dir) (compatible with `docker buildx build`)
 - :whale: `--cache-to=CACHE`: Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir) (compatible with `docker buildx build`)
 - :whale: `--platform=(amd64|arm64|...)`: Set target platform for build (compatible with `docker buildx build`)
diff --git a/pkg/api/types/builder_types.go b/pkg/api/types/builder_types.go
@@ -45,6 +45,8 @@ type BuilderBuildOptions struct {
 	Secret []string
 	// Allow extra privileged entitlement, e.g. network.host, security.insecure
 	Allow []string
+	// Attestation parameters (format: "type=sbom,generator=image")"
+	Attest []string
 	// SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])
 	SSH []string
 	// Quiet suppress the build output and print image ID on success
diff --git a/pkg/cmd/builder/build.go b/pkg/cmd/builder/build.go
@@ -338,6 +338,16 @@ func generateBuildctlArgs(ctx context.Context, client *containerd.Client, option
 		buildctlArgs = append(buildctlArgs, "--allow="+s)
 	}
 
+	for _, s := range strutil.DedupeStrSlice(options.Attest) {
+		optAttestType, optAttestAttrs, _ := strings.Cut(s, ",")
+		if strings.HasPrefix(optAttestType, "type=") {
+			optAttestType := strings.TrimPrefix(optAttestType, "type=")
+			buildctlArgs = append(buildctlArgs, fmt.Sprintf("--opt=attest:%s=%s", optAttestType, optAttestAttrs))
+		} else {
+			return "", nil, false, "", nil, nil, fmt.Errorf("attestation type not specified")
+		}
+	}
+
 	for _, s := range strutil.DedupeStrSlice(options.SSH) {
 		buildctlArgs = append(buildctlArgs, "--ssh="+s)
 	}
