Update cargo-cyclonedx and enable Renovate to update it (#783)

lfrancke · web-flow · commit 95e38afbea35 · 2024-09-13T07:25:03.000Z
* Update cargo-cyclonedx and enable Renovate to update it

This adds the necessary annotations (together with our custom renovate config) to be able to update versions in our Dockerfiles as long as they are ENV &lt;something&gt;_VERSION and they have a comment telling renovate what to update

* Update cargo-cyclonedx and add more renovate annotations

* Fix name of SBOM with new generator version

* Update changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,7 @@ All notable changes to this project will be documented in this file.
 
 - ci: Rename local actions, adjust action inputs and outputs, add definition
   README file ([#819]).
+- Update cargo-cyclonedx to 0.5.5 and build CycloneDX 1.5 files ([#783])
 
 ### Removed
 
@@ -38,6 +39,7 @@ All notable changes to this project will be documented in this file.
 
 - hbase: link to phoenix server jar ([#811]).
 
+[#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
 [#802]: https://github.com/stackabletech/docker-images/pull/802
 [#809]: https://github.com/stackabletech/docker-images/pull/809
diff --git a/renovate.json b/renovate.json
@@ -1,7 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "local>stackabletech/.github:renovate-config",
+    "github>stackabletech/.github:renovate-config",
     "docker:pinDigests"
   ]
 }
diff --git a/shared/copy_artifacts.sh b/shared/copy_artifacts.sh
@@ -3,6 +3,6 @@
 # Copy over the binary
 cp "$1" /app
 
-# And now try to find a BOM file named like the binary + .cdx.xml and copy it over as well if it exists
+# And now try to find a BOM file named like the binary + _bin.cdx.xml and copy it over as well if it exists
 base=$(basename "$1")
-find /src/rust/ -type f -name "$base.cdx.xml" -exec cp {} /app \;
+find /src/rust/ -type f -name "${base}_bin.cdx.xml" -exec cp {} /app \;
diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile
@@ -6,14 +6,17 @@
 FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:1b6d711648229a1c987f39cfdfccaebe2bd92d0b5d8caa5dbaa5234a9278a0b2 AS product-utils-builder
 
 # Find the latest version here: https://github.com/stackabletech/config-utils/tags
+# renovate: datasource=github-tags packageName=stackabletech/config-utils
 ENV CONFIG_UTILS_VERSION=0.2.0
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
 ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.80.1
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
-# IMPORTANT: Do not update until https://github.com/stackabletech/docker-images/pull/783 is merged
-ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.5
 # Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 
 RUN <<EOF
@@ -33,7 +36,7 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --defaul
 git clone --depth 1 --branch "${CONFIG_UTILS_VERSION}" https://github.com/stackabletech/config-utils
 cd ./config-utils
 . "$HOME/.cargo/env"
-cargo auditable --quiet build --release && cargo cyclonedx --output-pattern package --all --output-cdx
+cargo auditable --quiet build --release && cargo cyclonedx --all --spec-version 1.5 --describe binaries
 EOF
 
 # Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti
@@ -159,10 +162,11 @@ fi
 EOF
 
 COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/target/release/config-utils /stackable/config-utils
-COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/config-utils.cdx.xml /stackable/config-utils.cdx.xml
+COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/config-utils_bin.cdx.xml /stackable/config-utils.cdx.xml
 ENV PATH="${PATH}:/stackable"
 
 # These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them
+# http://label-schema.org/rc1/
 LABEL maintainer="info@stackable.tech"
 LABEL vendor="Stackable GmbH"
 
diff --git a/ubi8-rust-builder/Dockerfile b/ubi8-rust-builder/Dockerfile
@@ -11,14 +11,17 @@ LABEL maintainer="Stackable GmbH"
 
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
 ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.80.1
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
-# IMPORTANT: Do not update until https://github.com/stackabletech/docker-images/pull/783 is merged
-ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.5
 # Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 # Find the latest version here: https://github.com/protocolbuffers/protobuf/releases
 # Upload any newer version to nexus with ./.scripts/upload_new_protoc_version.sh
+# renovate: datasource=github-releases packageName=protocolbuffers/protobuf
 ENV PROTOC_VERSION=27.3
 
 # Sets the default shell to Bash with strict error handling and robust pipeline processing.
@@ -73,8 +76,11 @@ WORKDIR /
 # IMPORTANT
 # If you change the toolchain version here, make sure to also change the "rust_version"
 # property in operator-templating/config/rust.yaml
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION \
- && . "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
+RUN <<EOF
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
+. "$HOME/.cargo/env"
+cargo --quiet install "cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION" "cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION"
+EOF
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
@@ -84,20 +90,21 @@ COPY shared/copy_artifacts.sh /
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src
 
-ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable --quiet build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+ONBUILD RUN <<EOF
+. "$HOME/.cargo/env"
+cargo auditable --quiet build --release --workspace
+cargo cyclonedx --all --spec-version 1.5 --describe binaries
 
-# Copy the "interesting" files into /app.
-ONBUILD RUN find /src/target/release \
-                -regextype egrep \
-                # The interesting binaries are all directly in ${BUILD_DIR}.
-                -maxdepth 1 \
-                # Well, binaries are executable.
-                -executable \
-                # Well, binaries are files.
-                -type f \
-                # Filter out tests.
-                ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
-                # Copy the matching files into /app.
-                -exec /copy_artifacts.sh {} \;
+# -maxdepth 1: The interesting binaries are all directly in ${BUILD_DIR}.
+# -regex filters out tests
+# - exec copies matching files to /app
+find /src/target/release \
+  -regextype egrep \
+  -maxdepth 1 \
+  -executable \
+  -type f \
+  ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
+  -exec /copy_artifacts.sh {} \;
 
-ONBUILD RUN echo "The following files will be copied to the runtime image: $(ls /app)"
+echo "The following files will be copied to the runtime image: $(ls /app)"
+EOF
diff --git a/ubi9-rust-builder/Dockerfile b/ubi9-rust-builder/Dockerfile
@@ -8,14 +8,17 @@ LABEL maintainer="Stackable GmbH"
 
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
 ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.80.1
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
-# IMPORTANT: Do not update until https://github.com/stackabletech/docker-images/pull/783 is merged
-ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.5
 # Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 # Find the latest version here: https://github.com/protocolbuffers/protobuf/releases
 # Upload any newer version to nexus with ./.scripts/upload_new_protoc_version.sh
+# renovate: datasource=github-releases packageName=protocolbuffers/protobuf
 ENV PROTOC_VERSION=27.3
 
 # Sets the default shell to Bash with strict error handling and robust pipeline processing.
@@ -72,8 +75,11 @@ WORKDIR /
 # IMPORTANT
 # If you change the toolchain version here, make sure to also change the "rust_version"
 # property in operator-templating/config/rust.yaml
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION \
-&& . "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
+RUN <<EOF
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
+. "$HOME/.cargo/env"
+cargo install --quiet "cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION" "cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION"
+EOF
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
@@ -83,20 +89,21 @@ COPY shared/copy_artifacts.sh /
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src
 
-ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable --quiet build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+ONBUILD RUN <<EOF
+. "$HOME/.cargo/env"
+cargo auditable --quiet build --release --workspace
+cargo cyclonedx --all --spec-version 1.5 --describe binaries
 
-# Copy the "interesting" files into /app.
-ONBUILD RUN find /src/target/release \
-                -regextype egrep \
-                # The interesting binaries are all directly in ${BUILD_DIR}.
-                -maxdepth 1 \
-                # Well, binaries are executable.
-                -executable \
-                # Well, binaries are files.
-                -type f \
-                # Filter out tests.
-                ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
-                # Copy the matching files into /app.
-                -exec /copy_artifacts.sh {} \;
+# -maxdepth 1: The interesting binaries are all directly in ${BUILD_DIR}.
+# -regex filters out tests
+# - exec copies matching files to /app
+find /src/target/release \
+  -regextype egrep \
+  -maxdepth 1 \
+  -executable \
+  -type f \
+  ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
+  -exec /copy_artifacts.sh {} \;
 
-ONBUILD RUN echo "The following files will be copied to the runtime image: $(ls /app)"
+echo "The following files will be copied to the runtime image: $(ls /app)"
+EOF

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://docs.renovatebot.com/renovate-schema.json",`
`3`	`3`	`"extends": [`
`4`		`- "local>stackabletech/.github:renovate-config",`
	`4`	`+ "github>stackabletech/.github:renovate-config",`
`5`	`5`	`"docker:pinDigests"`
`6`	`6`	`]`
`7`	`7`	`}`