osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

Implement others ways of installation

Open jwillker opened this issue 2 years ago • 8 comments

The project has a high chance of gaining a lot of adoption. To help with adoption, the project could provide other ways to install besides go install or download binaries. This facilitates to use of the osv-scanner in different machines, servers, CI/CD, etc.

My proposal is that the project could have the following:

All this can be done using the goreleaser. I can help with PRs if these features make sense!

jwillker avatar Dec 15 '22 00:12 jwillker

My initial thoughts on curl | bash are coloured by my past history with things like:

  • https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
  • https://www.onsecurity.io/blog/careless-with-curl-dont-be/

and as such, given the space we're operating in, I'd prefer for OSV Scanner to have a very solid supply chain security story.

I totally agree with the spirit of this issue though. As a Debian Developer, I'd like to see it packaged for Debian :-)

andrewpollock avatar Dec 15 '22 02:12 andrewpollock

I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.

I think the first step is producing a docker image, which can also be used when making the CI/CD action.

another-rex avatar Dec 15 '22 03:12 another-rex

I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.

When trying to scan a directory: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

And when trying to run with --lockfile I get the same: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

Running it from go locally works fine.

koenhendriks avatar Dec 15 '22 12:12 koenhendriks

I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.

When trying to scan a directory: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

And when trying to run with --lockfile I get the same: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

Running it from go locally works fine.

@koenhendriks The problem here is you are passing -v to the osv-scanner. I think you want to use docker -v to pass a volume, the order matter.

Maybe you should do: docker run --rm -v ${PWD}:/app koenhendriks/osv-scanner -r /app

jwillker avatar Dec 15 '22 12:12 jwillker

I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.

I think the first step is producing a docker image, which can also be used when making the CI/CD action.

@another-rex I just open a PR to implement a docker image publish feature using Goreleaser https://github.com/google/osv-scanner/pull/63

Can you review and comment the open points please?

jwillker avatar Dec 15 '22 18:12 jwillker

https://github.com/taiki-e/install-action now supports osv-scanner

jayvdb avatar Dec 11 '23 08:12 jayvdb

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 26 '24 18:07 github-actions[bot]