Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
# so shipping the client just makes the web-UI toggle available out of the box.
ARG SBOM_SCANOSS=true
# renovate: datasource=pypi depName=scanoss
ARG SCANOSS_VERSION=1.25.2
ARG SCANOSS_VERSION=1.54.1
ARG TARGETARCH=amd64
# docker CLI (client only) — lets the web UI source scan launch cdxgen language
# images as sibling containers via the mounted host socket (transitive deps).
Expand Down Expand Up @@ -95,12 +95,12 @@
# jq (helper scripts), curl/tar (installers), file (binary mode),
# git (web UI 'GitHub URL' ingestion: server.py clones into a temp source tree).
# python3 + pip are already in the python:3.12-slim base (web UI + scancode).
RUN apt-get update && apt-get install -y --no-install-recommends \

Check failure on line 98 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 98 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 98 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
jq curl wget ca-certificates bash tar file git \
&& rm -rf /var/lib/apt/lists/*

# syft — image/binary/RootFS scanning (pinned)
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \

Check failure on line 103 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 103 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 103 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
| sh -s -- -b /usr/local/bin "${SYFT_VERSION}" \
&& syft version

Expand Down Expand Up @@ -159,7 +159,7 @@
ENV EXTRACTCODE_LIBARCHIVE_PATH=/usr/local/lib/libarchive.so \
TYPECODE_LIBMAGIC_PATH=/usr/local/lib/libmagic.so \
TYPECODE_LIBMAGIC_DB_PATH=/usr/share/misc/magic.mgc
RUN if [ "$SBOM_DEEP_LICENSE" = "true" ]; then \

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

SC2046 warning: Quote this to prevent word splitting.

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

SC2046 warning: Quote this to prevent word splitting.

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

SC2046 warning: Quote this to prevent word splitting.

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 162 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
apt-get update && apt-get install -y --no-install-recommends \
build-essential libicu-dev pkg-config python3-dev \
libarchive13 libmagic1 \
Expand Down Expand Up @@ -198,7 +198,7 @@
# NOTE: the PyPI `binwalk` 2.x dist is broken (no binwalk.core), so it is NOT
# installed; unsquashfs covers the common squashfs case. vendor-modified
# (non-standard) squashfs still needs sasquatch added on top of this.
RUN if [ "$SBOM_FIRMWARE" = "true" ]; then \

Check failure on line 201 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 201 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 201 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
apt-get update && apt-get install -y --no-install-recommends \
squashfs-tools e2fsprogs p7zip-full unar cpio cabextract \
lzop zstd lz4 liblzo2-2 zlib1g \
Expand Down Expand Up @@ -233,7 +233,7 @@
ARG NVD_FEED_REPO="https://github.com/fkie-cad/nvd-json-data-feeds"
COPY build-cpe-index.py /tmp/build-cpe-index.py
COPY lib/firmware-cpe-match.py /tmp/firmware-cpe-match.py
RUN if [ "$SBOM_FIRMWARE" = "true" ]; then \

Check failure on line 236 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 236 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check

Check failure on line 236 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
set -e; \
echo "[build] seeding stub cve.db (cve-bin-tool EmptyCache guard) ..."; \
mkdir -p "$CVE_BIN_TOOL_HOME/.cache/cve-bin-tool"; \
Expand Down Expand Up @@ -261,7 +261,7 @@
# release yet). Cloned into /opt/aibom-generator and run as `python -m src.cli`
# from there: a bare `pip install` drops the tool's data files (model-field
# registry, SPDX schema), so we keep the repo layout. git is in the base layer.
RUN if [ "$SBOM_AIBOM" = "true" ]; then \

Check failure on line 264 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3003 warning: Use WORKDIR to switch to a directory

Check failure on line 264 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 264 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3003 warning: Use WORKDIR to switch to a directory

Check failure on line 264 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 264 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3003 warning: Use WORKDIR to switch to a directory

Check failure on line 264 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
git clone --quiet https://github.com/GenAI-Security-Project/aibom-generator /opt/aibom-generator \
&& git -C /opt/aibom-generator checkout --quiet "${AIBOM_GENERATOR_REF}" \
&& pip3 install --no-cache-dir -r /opt/aibom-generator/requirements.txt \
Expand All @@ -278,7 +278,7 @@
# plus its native deps (libpango/cairo/gdk-pixbuf, ~50-60 MB). generate-notice.sh
# detects it via `command -v weasyprint` and skips the PDF step when it is absent,
# so the default image stays lean and a scan never fails for lack of the renderer.
RUN if [ "$SBOM_PDF" = "true" ]; then \

Check failure on line 281 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 281 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Check failure on line 281 in docker/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Scripts

DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
apt-get update && apt-get install -y --no-install-recommends \
libpango-1.0-0 libpangocairo-1.0-0 libgdk-pixbuf-2.0-0 libcairo2 libffi8 \
fonts-dejavu-core \
Expand Down
Loading