Inspecting Bottlerocket software and sources

[yeazelm]

1. How can I download a given package binaries independently?
2. How can I download a given package sources?

(This is to add Bottlerocket support in https://github.com/aboutcode-org/vulnerablecode in aboutcode-org/vulnerablecode#1849 and eventually in https://github.com/aboutcode-org/scancode-toolkit and https://github.com/aboutcode-org/scancode.io )

Originally posted by @pombredanne in #4063 (comment)

[yeazelm]

I think it is worth taking a step back and asking what the actual goal is here. Bottlerocket releases software as an image to be used together and one cannot update those different components individually, so thinking about a bottlerocket image, not package, may be the right model here. Our TUF repos found at updates.bottlerocket.dev actually contain the complete images that you can pull down and scan if you'd like:

ARCH="x86_64"
VERSION="v1.35.0"
VARIANT="aws-k8s-1.32"
IMAGE="bottlerocket-${VARIANT}-${ARCH}-${VERSION}.img.lz4"
OUTDIR="${VARIANT}-${VERSION}"

tuftool download "${OUTDIR}" --target-name "${IMAGE}" \
   --root ./root.json \
   --metadata-url "https://updates.bottlerocket.aws/2020-07-07/${VARIANT}/${ARCH}" \
   --targets-url "https://updates.bottlerocket.aws/targets/"

How can I download a given package binaries independently?

If you want to download the individual packages, you'd want to pull down the OCI images that we use to compose these images which we call kits. twoliter does this all for you during a build and isn't really designed to just pull the artifacts separately for inspection. We haven't built any tools to do this type of fetching but the artifacts are public and fetch-able (even if a little hard to get to right now).

How can I download a given package sources?

We provide the build specs in our kits, either https://github.com/bottlerocket-os/bottlerocket-core-kit for cor