asf-tooling commented on issue #1070:
URL:
https://github.com/apache/tooling-trusted-releases/issues/1070#issuecomment-4409816220
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@2da7807a`
**Type:** `refactor` • **Classification:** `actionable` •
**Confidence:** `high`
**Application domain(s):** `sbom_analysis`, `shared_infrastructure`
### Summary
The issue claims Syft is installed via unverified `curl | sh`, but the
current Dockerfile already verifies the SHA256 of the install script before
executing it (via `SYFT_INSTALL_SHA256`). However, the install script then
downloads and installs the syft binary without ATR directly verifying the
binary's hash. The TODO comment in the code acknowledges this gap: 'we should
figure out how to pin the binaries'. The recommended fix is to download the
binary tarball directly and verify its hash, eliminating reliance on the
third-party install script entirely. The triage notes confirm this should be
addressed ('get syft via a safer way').
### Proposed approach
Replace the `curl | sh` install script pattern with a direct binary tarball
download and SHA256 verification, following the same pattern already used for
CycloneDX CLI. This eliminates the need to execute any third-party script and
directly verifies the binary artifact that will be installed.
The change involves: (1) replacing `SYFT_INSTALL_SHA256` with `SYFT_SHA256`
that corresponds to the release tarball's checksum, (2) downloading the release
tarball directly from GitHub releases, (3) verifying the tarball's SHA256, (4)
extracting only the `syft` binary. The `go` package can also be removed from
the `depbuilder` stage's `apk add` if parlay and sbomqs are also handled
differently, but since those still use `go install`, `go` stays for now.
### Suggested patches
#### `Dockerfile.alpine`
Replace install script execution with direct binary download and hash
verification of the tarball itself
````diff
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -60,13 +60,13 @@
rm -rf /tmp/apache-rat
-# WORKDIR /var/run
ENV SYFT_VERSION=1.38.2
-ENV
SYFT_INSTALL_SHA256=01d0d15aff461f1bc54d1716feb4824341918c4f37e1b6a5a0c0caee2251be67
-# RUN GOPATH=/usr/local go install
github.com/anchore/syft/cmd/syft@v${SYFT_VERSION}
-# TODO: This is much faster than the above, but we should figure out how to
pin the binaries
-RUN curl -fsSL
https://raw.githubusercontent.com/anchore/syft/v${SYFT_VERSION}/install.sh -o
/tmp/syft-install.sh && \
- echo "${SYFT_INSTALL_SHA256} /tmp/syft-install.sh" | sha256sum -c - &&
\
- sh /tmp/syft-install.sh -b /usr/local/bin && \
- rm -f /tmp/syft-install.sh
+# TODO: obtain hash from
https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_checksums.txt
+ENV SYFT_SHA256="changeme_obtain_from_official_release_checksums_txt"
+
+RUN curl -fsSL
"https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz";
\
+ -o /tmp/syft.tar.gz && \
+ echo "${SYFT_SHA256} /tmp/syft.tar.gz" | sha256sum -c - && \
+ tar -xzf /tmp/syft.tar.gz -C /usr/local/bin syft && \
+ chmod +x /usr/local/bin/syft && \
+ rm -f /tmp/syft.tar.gz
+
ENV PARLAY_VERSION=0.9.0
RUN GOPATH=/usr/local go install github.com/snyk/parlay@v${PARLAY_VERSION}
````
### Open questions
- The exact SHA256 hash for syft_1.38.2_linux_amd64.tar.gz needs to be
obtained from the official release checksums file at
https://github.com/anchore/syft/releases/download/v1.38.2/syft_1.38.2_checksums.txt
- Should the Dockerfile also verify the tarball's GPG signature (syft
publishes cosign signatures) for defense-in-depth, or is SHA256 sufficient?
- The final image still includes `go` comment about it being required for
syft - this is no longer true with direct binary download, but `go` may still
be needed in the final image for other reasons (it's not currently installed in
the final image, only depbuilder)
### Files examined
- `Dockerfile.alpine`
- `BUILD.md`
- `DEVELOPMENT.md`
- `Makefile`
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
