Merge branch 'feature/force-push-repos' of https://github.com/radiusm…

…ethod/zarf into feature/force-push-repos
zarf-dev · Oct 1, 2024 · 4fe52f1 · 4fe52f1
2 parents 8d2a0be + 11de4c8
commit 4fe52f1
Show file tree

Hide file tree

Showing 21 changed files with 670 additions and 386 deletions.
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/site/src/content/docs/commands/zarf_tools_sbom.md b/site/src/content/docs/commands/zarf_tools_sbom.md
@@ -21,21 +21,22 @@ zarf tools sbom [flags]
 ### Options
 
 ```
-      --base-path string         base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-      --catalogers stringArray   enable one or more package catalogers
-  -c, --config string            syft configuration file
-      --exclude stringArray      exclude paths from being scanned using a glob expression
-      --file string              file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
-  -h, --help                     help for sbom
-      --name string              set the name of the target being analyzed (DEPRECATED: use: source-name)
-  -o, --output stringArray       report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
-      --platform string          an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-  -q, --quiet                    suppress all logging output
-  -s, --scope string             selection of layers to catalog, options=[squashed all-layers]
-      --source-name string       set the name of the target being analyzed
-      --source-version string    set the version of the target being analyzed
-  -t, --template string          specify the path to a Go template file
-  -v, --verbose count            increase verbosity (-v = info, -vv = debug)
+      --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
+  -c, --config string                             syft configuration file
+      --exclude stringArray                       exclude paths from being scanned using a glob expression
+      --file string                               file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
+      --from stringArray                          specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
+  -h, --help                                      help for sbom
+  -o, --output stringArray                        report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
+      --override-default-catalogers stringArray   set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
+      --platform string                           an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
+  -q, --quiet                                     suppress all logging output
+  -s, --scope string                              selection of layers to catalog, options=[squashed all-layers]
+      --select-catalogers stringArray             add, remove, and filter the catalogers to be used
+      --source-name string                        set the name of the target being analyzed
+      --source-version string                     set the version of the target being analyzed
+  -t, --template string                           specify the path to a Go template file
+  -v, --verbose count                             increase verbosity (-v = info, -vv = debug)
 ```
 
 ### Options inherited from parent commands
@@ -49,6 +50,8 @@ zarf tools sbom [flags]
 
 * [zarf tools](/commands/zarf_tools/)	 - Collection of additional tools to make airgap easier
 * [zarf tools sbom attest](/commands/zarf_tools_sbom_attest/)	 - Generate an SBOM as an attestation for the given [SOURCE] container image
+* [zarf tools sbom cataloger](/commands/zarf_tools_sbom_cataloger/)	 - Show available catalogers and configuration
+* [zarf tools sbom config](/commands/zarf_tools_sbom_config/)	 - show the syft configuration
 * [zarf tools sbom convert](/commands/zarf_tools_sbom_convert/)	 - Convert between SBOM formats
 * [zarf tools sbom login](/commands/zarf_tools_sbom_login/)	 - Log in to a registry
 * [zarf tools sbom scan](/commands/zarf_tools_sbom_scan/)	 - Generate an SBOM

diff --git a/site/src/content/docs/commands/zarf_tools_sbom_attest.md b/site/src/content/docs/commands/zarf_tools_sbom_attest.md
@@ -21,16 +21,18 @@ zarf tools sbom attest --output [FORMAT] <IMAGE> [flags]
 ### Options
 
 ```
-      --base-path string         base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-      --catalogers stringArray   enable one or more package catalogers
-      --exclude stringArray      exclude paths from being scanned using a glob expression
-  -h, --help                     help for attest
-      --name string              set the name of the target being analyzed (DEPRECATED: use: source-name)
-  -o, --output stringArray       report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])
-      --platform string          an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-  -s, --scope string             selection of layers to catalog, options=[squashed all-layers]
-      --source-name string       set the name of the target being analyzed
-      --source-version string    set the version of the target being analyzed
+      --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
+      --exclude stringArray                       exclude paths from being scanned using a glob expression
+      --from stringArray                          specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
+  -h, --help                                      help for attest
+  -k, --key string                                the key to use for the attestation
+  -o, --output stringArray                        report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])
+      --override-default-catalogers stringArray   set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
+      --platform string                           an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
+  -s, --scope string                              selection of layers to catalog, options=[squashed all-layers]
+      --select-catalogers stringArray             add, remove, and filter the catalogers to be used
+      --source-name string                        set the name of the target being analyzed
+      --source-version string                     set the version of the target being analyzed
 ```
 
 ### Options inherited from parent commands

diff --git a/site/src/content/docs/commands/zarf_tools_sbom_cataloger.md b/site/src/content/docs/commands/zarf_tools_sbom_cataloger.md
@@ -0,0 +1,33 @@
+---
+title: zarf tools sbom cataloger
+description: Zarf CLI command reference for <code>zarf tools sbom cataloger</code>.
+tableOfContents: false
+---
+
+<!-- Page generated by Zarf; DO NOT EDIT -->
+
+## zarf tools sbom cataloger
+
+Show available catalogers and configuration
+
+### Options
+
+```
+  -h, --help   help for cataloger
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --config string              syft configuration file
+      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
+      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
+  -q, --quiet                      suppress all logging output
+  -v, --verbose count              increase verbosity (-v = info, -vv = debug)
+```
+
+### SEE ALSO
+
+* [zarf tools sbom](/commands/zarf_tools_sbom/)	 - Generates a Software Bill of Materials (SBOM) for the given package
+* [zarf tools sbom cataloger list](/commands/zarf_tools_sbom_cataloger_list/)	 - List available catalogers
+
diff --git a/site/src/content/docs/commands/zarf_tools_sbom_cataloger_list.md b/site/src/content/docs/commands/zarf_tools_sbom_cataloger_list.md
@@ -0,0 +1,40 @@
+---
+title: zarf tools sbom cataloger list
+description: Zarf CLI command reference for <code>zarf tools sbom cataloger list</code>.
+tableOfContents: false
+---
+
+<!-- Page generated by Zarf; DO NOT EDIT -->
+
+## zarf tools sbom cataloger list
+
+List available catalogers
+
+```
+zarf tools sbom cataloger list [OPTIONS] [flags]
+```
+
+### Options
+
+```
+  -h, --help                                      help for list
+  -o, --output string                             format to output the cataloger list (available: table, json)
+      --override-default-catalogers stringArray   override the default catalogers with an expression (default [all])
+      --select-catalogers stringArray             select catalogers with an expression
+  -s, --show-hidden                               show catalogers that have been de-selected
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --config string              syft configuration file
+      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
+      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
+  -q, --quiet                      suppress all logging output
+  -v, --verbose count              increase verbosity (-v = info, -vv = debug)
+```
+
+### SEE ALSO
+
+* [zarf tools sbom cataloger](/commands/zarf_tools_sbom_cataloger/)	 - Show available catalogers and configuration
+
diff --git a/site/src/content/docs/commands/zarf_tools_sbom_config.md b/site/src/content/docs/commands/zarf_tools_sbom_config.md
@@ -0,0 +1,38 @@
+---
+title: zarf tools sbom config
+description: Zarf CLI command reference for <code>zarf tools sbom config</code>.
+tableOfContents: false
+---
+
+<!-- Page generated by Zarf; DO NOT EDIT -->
+
+## zarf tools sbom config
+
+show the syft configuration
+
+```
+zarf tools sbom config [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for config
+      --load   load and validate the syft configuration
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --config string              syft configuration file
+      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
+      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
+  -q, --quiet                      suppress all logging output
+  -v, --verbose count              increase verbosity (-v = info, -vv = debug)
+```
+
+### SEE ALSO
+
+* [zarf tools sbom](/commands/zarf_tools_sbom/)	 - Generates a Software Bill of Materials (SBOM) for the given package
+* [zarf tools sbom config locations](/commands/zarf_tools_sbom_config_locations/)	 - shows all locations and the order in which syft will look for a configuration file
+
diff --git a/site/src/content/docs/commands/zarf_tools_sbom_config_locations.md b/site/src/content/docs/commands/zarf_tools_sbom_config_locations.md
@@ -0,0 +1,37 @@
+---
+title: zarf tools sbom config locations
+description: Zarf CLI command reference for <code>zarf tools sbom config locations</code>.
+tableOfContents: false
+---
+
+<!-- Page generated by Zarf; DO NOT EDIT -->
+
+## zarf tools sbom config locations
+
+shows all locations and the order in which syft will look for a configuration file
+
+```
+zarf tools sbom config locations [flags]
+```
+
+### Options
+
+```
+      --all    include every file extension supported
+  -h, --help   help for locations
+```
+
+### Options inherited from parent commands
+
+```
+  -c, --config string              syft configuration file
+      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
+      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
+  -q, --quiet                      suppress all logging output
+  -v, --verbose count              increase verbosity (-v = info, -vv = debug)
+```
+
+### SEE ALSO
+
+* [zarf tools sbom config](/commands/zarf_tools_sbom_config/)	 - show the syft configuration
+
diff --git a/site/src/content/docs/commands/zarf_tools_sbom_scan.md b/site/src/content/docs/commands/zarf_tools_sbom_scan.md
@@ -21,18 +21,19 @@ zarf tools sbom scan [SOURCE] [flags]
 ### Options
 
 ```
-      --base-path string         base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-      --catalogers stringArray   enable one or more package catalogers
-      --exclude stringArray      exclude paths from being scanned using a glob expression
-      --file string              file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
-  -h, --help                     help for scan
-      --name string              set the name of the target being analyzed (DEPRECATED: use: source-name)
-  -o, --output stringArray       report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
-      --platform string          an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-  -s, --scope string             selection of layers to catalog, options=[squashed all-layers]
-      --source-name string       set the name of the target being analyzed
-      --source-version string    set the version of the target being analyzed
-  -t, --template string          specify the path to a Go template file
+      --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
+      --exclude stringArray                       exclude paths from being scanned using a glob expression
+      --file string                               file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
+      --from stringArray                          specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
+  -h, --help                                      help for scan
+  -o, --output stringArray                        report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
+      --override-default-catalogers stringArray   set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
+      --platform string                           an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
+  -s, --scope string                              selection of layers to catalog, options=[squashed all-layers]
+      --select-catalogers stringArray             add, remove, and filter the catalogers to be used
+      --source-name string                        set the name of the target being analyzed
+      --source-version string                     set the version of the target being analyzed
+  -t, --template string                           specify the path to a Go template file
 ```
 
 ### Options inherited from parent commands

diff --git a/src/cmd/package.go b/src/cmd/package.go
@@ -30,7 +30,7 @@ import (
 	"github.com/zarf-dev/zarf/src/pkg/message"
 	"github.com/zarf-dev/zarf/src/pkg/packager"
 	"github.com/zarf-dev/zarf/src/pkg/packager/filters"
-	"github.com/zarf-dev/zarf/src/pkg/packager/sources"
+	"github.com/zarf-dev/zarf/src/pkg/utils"
 	"github.com/zarf-dev/zarf/src/types"
 )
 
@@ -189,26 +189,39 @@ var packageInspectCmd = &cobra.Command{
 		}
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
-		packageSource, err := choosePackage(args)
+		src, err := choosePackage(args)
 		if err != nil {
 			return err
 		}
-		pkgConfig.PkgOpts.PackageSource = packageSource
-		src, err := identifyAndFallbackToClusterSource()
-		if err != nil {
-			return err
+
+		cluster, _ := cluster.NewCluster()
+		inspectOpt := packager2.ZarfInspectOptions{
+			Source:                  src,
+			SkipSignatureValidation: pkgConfig.PkgOpts.SkipSignatureValidation,
+			Cluster:                 cluster,
+			ListImages:              pkgConfig.InspectOpts.ListImages,
+			ViewSBOM:                pkgConfig.InspectOpts.ViewSBOM,
+			SBOMOutputDir:           pkgConfig.InspectOpts.SBOMOutputDir,
+			PublicKeyPath:           pkgConfig.PkgOpts.PublicKeyPath,
 		}
-		pkgClient, err := packager.New(&pkgConfig, packager.WithSource(src))
-		if err != nil {
-			return err
+
+		if pkgConfig.InspectOpts.ListImages {
+			output, err := packager2.InspectList(cmd.Context(), inspectOpt)
+			if err != nil {
+				return fmt.Errorf("failed to inspect package: %w", err)
+			}
+			for _, image := range output {
+				fmt.Fprintln(os.Stdout, "-", image)
+			}
 		}
-		defer pkgClient.ClearTempPaths()
-		if err := pkgClient.Inspect(cmd.Context()); err != nil {
+
+		output, err := packager2.Inspect(cmd.Context(), inspectOpt)
+		if err != nil {
 			return fmt.Errorf("failed to inspect package: %w", err)
 		}
+		utils.ColorPrintYAML(output, nil, false)
 		return nil
 	},
-	ValidArgsFunction: getPackageCompletionArgs,
 }
 
 var packageListCmd = &cobra.Command{
@@ -281,6 +294,7 @@ var packageRemoveCmd = &cobra.Command{
 			Cluster:                 cluster,
 			Filter:                  filter,
 			SkipSignatureValidation: pkgConfig.PkgOpts.SkipSignatureValidation,
+			PublicKeyPath:           pkgConfig.PkgOpts.PublicKeyPath,
 		}
 		err = packager2.Remove(cmd.Context(), removeOpt)
 		if err != nil {
@@ -385,22 +399,6 @@ func choosePackage(args []string) (string, error) {
 	return path, nil
 }
 
-// NOTE: If the source is identified nil is returned because packager will create the source if it is nil.
-// If it can't be identified the cluster source is used causing packager to ignore the configured package source.
-// Use of cluster package source is limited to a few functions which is why this is not the default behavior.
-func identifyAndFallbackToClusterSource() (sources.PackageSource, error) {
-	identifiedSrc := sources.Identify(pkgConfig.PkgOpts.PackageSource)
-	if identifiedSrc == "" {
-		message.Debugf(lang.CmdPackageClusterSourceFallback, pkgConfig.PkgOpts.PackageSource)
-		src, err := sources.NewClusterSource(&pkgConfig.PkgOpts)
-		if err != nil {
-			return nil, fmt.Errorf("unable to identify source from %s: %w", pkgConfig.PkgOpts.PackageSource, err)
-		}
-		return src, nil
-	}
-	return nil, nil
-}
-
 func getPackageCompletionArgs(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
 	var pkgCandidates []string