Merge pull request #1501 from tonistiigi/v0.10-picks

[v0.10] cherry-picks
2025-11-04 18:13:42 +08:00 · 2023-01-09 16:10:12 -08:00
parent 7fcea64eb4 583fe71740
commit 8764628976
8 changed files with 171 additions and 201 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,8 +21,8 @@ on:
      - 'docs/**'

 env:
-  BUILDX_VERSION: "v0.10.0-rc1"
-  BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3"
+  BUILDX_VERSION: "v0.10.0-rc3"
+  BUILDKIT_IMAGE: "moby/buildkit:v0.11.0"
  REPO_SLUG: "docker/buildx-bin"
  DESTDIR: "./bin"

--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile-upstream:master
+# syntax=docker/dockerfile-upstream:1.5.0

 ARG GO_VERSION=1.19
 ARG XX_VERSION=1.1.2
--- a/docs/reference/buildx_imagetools_inspect.md
+++ b/docs/reference/buildx_imagetools_inspect.md
@@ -287,69 +287,57 @@ $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manife
 Following command provides [SLSA](https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md) JSON output:

 ```console
-$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SLSA}}"
+$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Provenance}}"
 ```
 ```json
 {
-  "Provenance": {
-    "_type": "https://in-toto.io/Statement/v0.1",
-    "predicateType": "https://slsa.dev/provenance/v0.2",
-    "subject": [
+  "SLSA": {
+    "builder": {
+      "id": ""
+    },
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
      {
-        "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
+        "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
        "digest": {
-          "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
+          "sha256": "b45f1d207e16c3a3a5a10b254ad8ad358d01f7ea090d382b95c6b2ee2b3ef765"
+        }
+      },
+      {
+        "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
        }
      }
    ],
-    "predicate": {
-      "builder": {
-        "id": ""
-      },
-      "buildType": "https://mobyproject.org/buildkit@v1",
-      "materials": [
-        {
-          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
-          "digest": {
-            "sha256": "b45f1d207e16c3a3a5a10b254ad8ad358d01f7ea090d382b95c6b2ee2b3ef765"
+    "invocation": {
+      "configSource": {},
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
          }
-        },
-        {
-          "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
-          "digest": {
-            "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
-          }
-        }
-      ],
-      "invocation": {
-        "configSource": {},
-        "parameters": {
-          "frontend": "dockerfile.v0",
-          "locals": [
-            {
-              "name": "context"
-            },
-            {
-              "name": "dockerfile"
-            }
-          ]
-        },
-        "environment": {
-          "platform": "linux/amd64"
-        }
+        ]
      },
-      "metadata": {
-        "buildInvocationID": "02tdha2xkbxvin87mz9drhag4",
-        "buildStartedOn": "2022-12-01T11:50:07.264704131Z",
-        "buildFinishedOn": "2022-12-01T11:50:08.243788739Z",
-        "reproducible": false,
-        "completeness": {
-          "parameters": true,
-          "environment": true,
-          "materials": false
-        },
-        "https://mobyproject.org/buildkit@v1#metadata": {}
+      "environment": {
+        "platform": "linux/amd64"
      }
+    },
+    "metadata": {
+      "buildInvocationID": "02tdha2xkbxvin87mz9drhag4",
+      "buildStartedOn": "2022-12-01T11:50:07.264704131Z",
+      "buildFinishedOn": "2022-12-01T11:50:08.243788739Z",
+      "reproducible": false,
+      "completeness": {
+        "parameters": true,
+        "environment": true,
+        "materials": false
+      },
+      "https://mobyproject.org/buildkit@v1#metadata": {}
    }
  }
 }
@@ -363,32 +351,20 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SB
 ```json
 {
  "SPDX": {
-    "_type": "https://in-toto.io/Statement/v0.1",
-    "predicateType": "https://spdx.dev/Document",
-    "subject": [
-      {
-        "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
-        }
-      }
-    ],
-    "predicate": {
-      "SPDXID": "SPDXRef-DOCUMENT",
-      "creationInfo": {
-        "created": "2022-12-01T11:46:48.063400162Z",
-        "creators": [
-          "Tool: syft-v0.60.3",
-          "Tool: buildkit-1ace2bb",
-          "Organization: Anchore, Inc"
-        ],
-        "licenseListVersion": "3.18"
-      },
-      "dataLicense": "CC0-1.0",
-      "documentNamespace": "https://anchore.com/syft/dir/run/src/core-0a4ccc6d-1a72-4c3a-a40e-3df1a2ffca94",
-      "files": [...],
-      "spdxVersion": "SPDX-2.2"
-    }
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "creationInfo": {
+      "created": "2022-12-01T11:46:48.063400162Z",
+      "creators": [
+        "Tool: syft-v0.60.3",
+        "Tool: buildkit-1ace2bb",
+        "Organization: Anchore, Inc"
+      ],
+      "licenseListVersion": "3.18"
+    },
+    "dataLicense": "CC0-1.0",
+    "documentNamespace": "https://anchore.com/syft/dir/run/src/core-0a4ccc6d-1a72-4c3a-a40e-3df1a2ffca94",
+    "files": [...],
+    "spdxVersion": "SPDX-2.2"
  }
 }
 ```
@@ -465,97 +441,73 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}
      }
    ]
  },
-  "SLSA": {
-    "Provenance": {
-      "_type": "https://in-toto.io/Statement/v0.1",
-      "predicateType": "https://slsa.dev/provenance/v0.2",
-      "subject": [
+  "Provenance": {
+    "SLSA": {
+      "builder": {
+        "id": ""
+      },
+      "buildType": "https://mobyproject.org/buildkit@v1",
+      "materials": [
        {
-          "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
+          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
          "digest": {
-            "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
+            "sha256": "b45f1d207e16c3a3a5a10b254ad8ad358d01f7ea090d382b95c6b2ee2b3ef765"
+          }
+        },
+        {
+          "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
+          "digest": {
+            "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
          }
        }
      ],
-      "predicate": {
-        "builder": {
-          "id": ""
-        },
-        "buildType": "https://mobyproject.org/buildkit@v1",
-        "materials": [
-          {
-            "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
-            "digest": {
-              "sha256": "b45f1d207e16c3a3a5a10b254ad8ad358d01f7ea090d382b95c6b2ee2b3ef765"
+      "invocation": {
+        "configSource": {},
+        "parameters": {
+          "frontend": "dockerfile.v0",
+          "locals": [
+            {
+              "name": "context"
+            },
+            {
+              "name": "dockerfile"
            }
-          },
-          {
-            "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
-            "digest": {
-              "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
-            }
-          }
-        ],
-        "invocation": {
-          "configSource": {},
-          "parameters": {
-            "frontend": "dockerfile.v0",
-            "locals": [
-              {
-                "name": "context"
-              },
-              {
-                "name": "dockerfile"
-              }
-            ]
-          },
-          "environment": {
-            "platform": "linux/amd64"
-          }
+          ]
        },
-        "metadata": {
-          "buildInvocationID": "02tdha2xkbxvin87mz9drhag4",
-          "buildStartedOn": "2022-12-01T11:50:07.264704131Z",
-          "buildFinishedOn": "2022-12-01T11:50:08.243788739Z",
-          "reproducible": false,
-          "completeness": {
-            "parameters": true,
-            "environment": true,
-            "materials": false
-          },
-          "https://mobyproject.org/buildkit@v1#metadata": {}
+        "environment": {
+          "platform": "linux/amd64"
        }
+      },
+      "metadata": {
+        "buildInvocationID": "02tdha2xkbxvin87mz9drhag4",
+        "buildStartedOn": "2022-12-01T11:50:07.264704131Z",
+        "buildFinishedOn": "2022-12-01T11:50:08.243788739Z",
+        "reproducible": false,
+        "completeness": {
+          "parameters": true,
+          "environment": true,
+          "materials": false
+        },
+        "https://mobyproject.org/buildkit@v1#metadata": {}
      }
    }
  },
  "SBOM": {
    "SPDX": {
-      "_type": "https://in-toto.io/Statement/v0.1",
-      "predicateType": "https://spdx.dev/Document",
-      "subject": [
-        {
-          "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
-          "digest": {
-            "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
-          }
-        }
-      ],
-      "predicate": {
-        "SPDXID": "SPDXRef-DOCUMENT",
-        "creationInfo": {
-          "created": "2022-12-01T11:46:48.063400162Z",
-          "creators": [
-            "Tool: syft-v0.60.3",
-            "Tool: buildkit-1ace2bb",
-            "Organization: Anchore, Inc"
-          ],
-          "licenseListVersion": "3.18"
-        },
-        "dataLicense": "CC0-1.0",
-        "documentNamespace": "https://anchore.com/syft/dir/run/src/core-0a4ccc6d-1a72-4c3a-a40e-3df1a2ffca94",
-        "files": [...],
-        "spdxVersion": "SPDX-2.2"
-      }
+      "SPDXID": "SPDXRef-DOCUMENT",
+      "creationInfo": {
+        "created": "2022-12-01T11:46:48.063400162Z",
+        "creators": [
+          "Tool: syft-v0.60.3",
+          "Tool: buildkit-1ace2bb",
+          "Organization: Anchore, Inc"
+        ],
+        "licenseListVersion": "3.18"
+      },
+      "dataLicense": "CC0-1.0",
+      "documentNamespace": "https://anchore.com/syft/dir/run/src/core-0a4ccc6d-1a72-4c3a-a40e-3df1a2ffca94",
+      "files": [...],
+      "spdxVersion": "SPDX-2.2"
    }
  }
 }
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 	github.com/hashicorp/hcl/v2 v2.8.2
-	github.com/moby/buildkit v0.11.0-rc4
+	github.com/moby/buildkit v0.11.0
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
--- a/go.sum
+++ b/go.sum
@@ -401,8 +401,8 @@ github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZX
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.11.0-rc4 h1:PxvzcqZn2IOrMzIS2nEqRQxk67xeSQnhdYxEj0YQuLM=
-github.com/moby/buildkit v0.11.0-rc4/go.mod h1:v43oa6H2Fx/cdzc7j0UlUu8p6188yy1P3vrujAs99uw=
+github.com/moby/buildkit v0.11.0 h1:GqBC/ETDqwdu61g4tCxX1GFZuGWg/nuqFxamb2or1dw=
+github.com/moby/buildkit v0.11.0/go.mod h1:v43oa6H2Fx/cdzc7j0UlUu8p6188yy1P3vrujAs99uw=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
--- a/util/imagetools/loader.go
+++ b/util/imagetools/loader.go
@@ -46,9 +46,9 @@ type index struct {
 }

 type asset struct {
-	config *ocispec.Image
-	sbom   *sbomStub
-	slsa   *slsaStub
+	config     *ocispec.Image
+	sbom       *sbomStub
+	provenance *provenanceStub
 }

 type result struct {
@@ -255,7 +255,8 @@ func (l *loader) scanConfig(ctx context.Context, fetcher remotes.Fetcher, desc o
 }

 type sbomStub struct {
-	SPDX json.RawMessage `json:",omitempty"`
+	SPDX            interface{}   `json:",omitempty"`
+	AdditionalSPDXs []interface{} `json:",omitempty"`
 }

 func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *result, refs []digest.Digest, as *asset) error {
@@ -275,8 +276,18 @@ func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *resul
 				if err != nil {
 					return err
 				}
-				as.sbom = &sbomStub{
-					SPDX: dt,
+				var spdx struct {
+					Predicate interface{} `json:"predicate"`
+				}
+				if err := json.Unmarshal(dt, &spdx); err != nil {
+					return err
+				}
+
+				if as.sbom == nil {
+					as.sbom = &sbomStub{}
+					as.sbom.SPDX = spdx.Predicate
+				} else {
+					as.sbom.AdditionalSPDXs = append(as.sbom.AdditionalSPDXs, spdx.Predicate)
 				}
 			}
 		}
@@ -284,8 +295,8 @@ func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *resul
 	return nil
 }

-type slsaStub struct {
-	Provenance json.RawMessage `json:",omitempty"`
+type provenanceStub struct {
+	SLSA interface{} `json:",omitempty"`
 }

 func (l *loader) scanProvenance(ctx context.Context, fetcher remotes.Fetcher, r *result, refs []digest.Digest, as *asset) error {
@@ -305,9 +316,16 @@ func (l *loader) scanProvenance(ctx context.Context, fetcher remotes.Fetcher, r
 				if err != nil {
 					return err
 				}
-				as.slsa = &slsaStub{
-					Provenance: dt,
+				var slsa struct {
+					Predicate interface{} `json:"predicate"`
 				}
+				if err := json.Unmarshal(dt, &slsa); err != nil {
+					return err
+				}
+				as.provenance = &provenanceStub{
+					SLSA: slsa.Predicate,
+				}
+				break
 			}
 		}
 	}
@@ -328,16 +346,16 @@ func (r *result) Configs() map[string]*ocispec.Image {
 	return res
 }

-func (r *result) SLSA() map[string]slsaStub {
+func (r *result) Provenance() map[string]provenanceStub {
 	if len(r.assets) == 0 {
 		return nil
 	}
-	res := make(map[string]slsaStub)
+	res := make(map[string]provenanceStub)
 	for p, a := range r.assets {
-		if a.slsa == nil {
+		if a.provenance == nil {
 			continue
 		}
-		res[p] = *a.slsa
+		res[p] = *a.provenance
 	}
 	return res
 }
--- a/util/imagetools/printers.go
+++ b/util/imagetools/printers.go
@@ -99,7 +99,7 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 	}

 	imageconfigs := res.Configs()
-	slsas := res.SLSA()
+	provenances := res.Provenance()
 	sboms := res.SBOM()
 	format := tpl.Root.String()

@@ -143,43 +143,43 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 	default:
 		if len(res.platforms) > 1 {
 			return tpl.Execute(out, struct {
-				Name     string                     `json:"name,omitempty"`
-				Manifest interface{}                `json:"manifest,omitempty"`
-				Image    map[string]*ocispecs.Image `json:"image,omitempty"`
-				SLSA     map[string]slsaStub        `json:"SLSA,omitempty"`
-				SBOM     map[string]sbomStub        `json:"SBOM,omitempty"`
+				Name       string                     `json:"name,omitempty"`
+				Manifest   interface{}                `json:"manifest,omitempty"`
+				Image      map[string]*ocispecs.Image `json:"image,omitempty"`
+				Provenance map[string]provenanceStub  `json:"Provenance,omitempty"`
+				SBOM       map[string]sbomStub        `json:"SBOM,omitempty"`
 			}{
-				Name:     p.name,
-				Manifest: mfst,
-				Image:    imageconfigs,
-				SLSA:     slsas,
-				SBOM:     sboms,
+				Name:       p.name,
+				Manifest:   mfst,
+				Image:      imageconfigs,
+				Provenance: provenances,
+				SBOM:       sboms,
 			})
 		}
 		var ic *ocispecs.Image
 		for _, v := range imageconfigs {
 			ic = v
 		}
-		var slsa slsaStub
-		for _, v := range slsas {
-			slsa = v
+		var provenance provenanceStub
+		for _, v := range provenances {
+			provenance = v
 		}
 		var sbom sbomStub
 		for _, v := range sboms {
 			sbom = v
 		}
 		return tpl.Execute(out, struct {
-			Name     string          `json:"name,omitempty"`
-			Manifest interface{}     `json:"manifest,omitempty"`
-			Image    *ocispecs.Image `json:"image,omitempty"`
-			SLSA     slsaStub        `json:"SLSA,omitempty"`
-			SBOM     sbomStub        `json:"SBOM,omitempty"`
+			Name       string          `json:"name,omitempty"`
+			Manifest   interface{}     `json:"manifest,omitempty"`
+			Image      *ocispecs.Image `json:"image,omitempty"`
+			Provenance provenanceStub  `json:"Provenance,omitempty"`
+			SBOM       sbomStub        `json:"SBOM,omitempty"`
 		}{
-			Name:     p.name,
-			Manifest: mfst,
-			Image:    ic,
-			SLSA:     slsa,
-			SBOM:     sbom,
+			Name:       p.name,
+			Manifest:   mfst,
+			Image:      ic,
+			Provenance: provenance,
+			SBOM:       sbom,
 		})
 	}

--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -433,7 +433,7 @@ github.com/mitchellh/go-wordwrap
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
 github.com/mitchellh/mapstructure
-# github.com/moby/buildkit v0.11.0-rc4
+# github.com/moby/buildkit v0.11.0
 ## explicit; go 1.18
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types