podman
podman copied to clipboard
containers
fix: #23915 podman build is not parsing sbom command line arguments
Issue Description
SBOM flags are not respected while podman build command.
At the same time buildah build command works as expected.
Fixes #23915
Steps to reproduce the issue
With the following Containerfile:
FROM ubuntu:22.04
WORKDIR /app
Run the following podman build:
podman build -t sbom-img --sbom=trivy-spdx \
--sbom-image-output=/app/sbom-spdx.json \
--sbom-output=sbom-spdx.json \
--sbom-scanner-image=ghcr.io/aquasecurity/trivy \
--sbom-scanner-command="trivy filesystem -q {ROOTFS} --format spdx-json --output {OUTPUT}" \
--sbom-scanner-command="trivy filesystem -q {CONTEXT} --format spdx-json --output {OUTPUT}" \
--sbom-merge-strategy=merge-spdx-by-package-name-and-versioninfo \
-f Containerfile
Create a container with the image built in the previous step and check if the file sbom-spdx.json is inside of the container as requested:
podman run -it --rm sbom-img ls -al
Expected result:
drwxr-xr-x. 1 root root 28 Mar 21 13:06 .
dr-xr-xr-x. 1 root root 12 Mar 21 13:17 ..
-rw-r--r--. 1 root root 147729 Mar 21 13:06 sbom-spdx.json
Actual results:
drwxr-xr-x. 1 root root 28 Mar 21 13:06 .
dr-xr-xr-x. 1 root root 12 Mar 21 13:17 ..
Running the steps above with the code from this PR shows the expected result (the same as when using buildah), while running with the code from the main branch shows the actual result (with the bug).
Does this PR introduce a user-facing change?
None
please sign your commits https://github.com/containers/podman/blob/main/CONTRIBUTING.md#sign-your-prs
and you need to add a release note ... this is cli and is an outward change.
and add a test
Hi @baude,
please sign your commits https://github.com/containers/podman/blob/main/CONTRIBUTING.md#sign-your-prs
I believe the commit is signed.
and you need to add a release note
I did not add a release note because in the template it was saying to add it only in case of user-facing change, there is no user-facing change, only a bug fix for the flags that were already there.
This looks exactly what github.com/containers/buildah/pkg/cli.GenBuildOptions() does, so I expect it's going to handle the options correctly, so LGTM.
But if podman isn't calling that function, I have to wonder why we went to the trouble of exporting it there.
@aguidirh: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.
In response to this:
/retest
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @nalind,
I added the test requested by @baude.
They are passing locally, I am not sure why some tests are failing in the PR.
Could you please /retest them?
the test [FAIL] Podman build [It] podman build with sbom flags is failing here.
also note the failures are all remote tests
Thanks @baude, I will have a look why they are failing for the remote tests and try to fix them.
Great job @aguidirh , tests are passing. If you don't mind, it would be helpful to add some remote tests (see pkg/machine/e2e). Also, please squash your commits as CI tests were not passing for the first one.
[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.
![packit-as-a-service[bot] avatar](https://avatars.githubusercontent.com/in/29076?v=4 "Published by a pub.dev verified publisher"){kind=small}
Great job @aguidirh , tests are passing. If you don't mind, it would be helpful to add some remote tests (see pkg/machine/e2e). Also, please squash your commits as CI tests were not passing for the first one.
Thanks @l0rd.
In test/e2e/build_test.go L977-997 I added podman build with sbom flags which I believe runs as make localintegration and also as remote test make remoteintegration
Is this kind of remote test are you asking for? Or is it other type of remote test? (@l0rd please ignore this message)
I squashed the commits, but I believe we have some flaky tests.
/hold
TODO: discover why build with sbom flags are not working for podman machine localmachine on basic_test.go L326-327.
The same test works fine for localintegration and remoteintegration on test/e2e/build_test.go L995-996.
@mheon could you please have a look if the tests failing are only flakes?
Please let me know if there is something missing to merge this PR.
The Linux machine tests are timing out consistently. Likely not a flake. Possible that your test addition just bumped us over the limit, though I would have expected us to be flaking consistently before this if that was the case?
WSL is just being WSL, that's a flake
@mheon since the machine tests will need to wait for the new vm to be built based on the server code I'm sending in this PR, is that ok if I comment the entire machine test ?
In this way we can check if the problem is that my tests bumped over the limit.
What do you think?
machine-linux podman fedora-42 rootless host sqlite
But if that was the case, the linux machine test above should fail as well right? The one above passed, also other jobs related to machine tests passed (applehv, hyperv and libkrun).
@baude @Luap99 PTAL at the machine tests here - the Linux timeout looks suspicious and is repeating
@Luap99 all tests are passing now, could you please take a look to see if there is anything missing before merging this PR?
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: aguidirh, Luap99
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [Luap99]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment