From e43916fe8d5bd0c4c996745c1ff9fee9f02a8c1e Mon Sep 17 00:00:00 2001
From: arewm <arewm@users.noreply.github.com>
Date: Thu, 26 Sep 2024 15:03:52 -0400
Subject: [PATCH] fix(KFLUXBUGS-1666): Only analyze build context for
 dependencies

When generating the SBOM, we do not constrain the source analysis to the
build context. This can result in many additional dependencies being
included than should be.

Signed-off-by: arewm <arewm@users.noreply.github.com>
---
 task/buildah-oci-ta/0.2/buildah-oci-ta.yaml               | 7 ++++---
 task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 8 +++++---
 task/buildah-remote/0.2/buildah-remote.yaml               | 8 +++++---
 task/buildah/0.2/buildah.yaml                             | 7 ++++---
 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
index 133df7524..a850096f1 100644
--- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
+++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -195,6 +195,8 @@ spec:
         value: $(params.IMAGE_EXPIRES_AFTER)
       - name: SKIP_UNUSED_STAGES
         value: $(params.SKIP_UNUSED_STAGES)
+      - name: SOURCE_CODE_DIR
+        value: source
       - name: SQUASH
         value: $(params.SQUASH)
       - name: STORAGE_DRIVER
@@ -251,7 +253,6 @@ spec:
           update-ca-trust
         fi
 
-        SOURCE_CODE_DIR=source
         if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
           dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
         elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -459,9 +460,9 @@ spec:
           name: shared
       script: |
         echo "Running syft on the source directory"
-        syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
+        syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
         echo "Running syft on the image filesystem"
-        syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
+        syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
       computeResources:
         limits:
           cpu: "2"
diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
index 24743cc0b..538aa9346 100644
--- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
+++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
@@ -176,6 +176,8 @@ spec:
       value: $(params.IMAGE_EXPIRES_AFTER)
     - name: SKIP_UNUSED_STAGES
       value: $(params.SKIP_UNUSED_STAGES)
+    - name: SOURCE_CODE_DIR
+      value: source
     - name: SQUASH
       value: $(params.SQUASH)
     - name: STORAGE_DRIVER
@@ -286,7 +288,6 @@ spec:
         update-ca-trust
       fi
 
-      SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
         dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
       elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -494,6 +495,7 @@ spec:
           -e IMAGE="$IMAGE" \
           -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
           -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
+          -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
           -e SQUASH="$SQUASH" \
           -e STORAGE_DRIVER="$STORAGE_DRIVER" \
           -e TARGET_STAGE="$TARGET_STAGE" \
@@ -562,9 +564,9 @@ spec:
         export IMAGE
       fi
       echo "Running syft on the source directory"
-      syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
+      syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
+      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml
index 2d5a68235..eaf91fe79 100644
--- a/task/buildah-remote/0.2/buildah-remote.yaml
+++ b/task/buildah-remote/0.2/buildah-remote.yaml
@@ -149,6 +149,8 @@ spec:
       value: $(params.STORAGE_DRIVER)
     - name: HERMETIC
       value: $(params.HERMETIC)
+    - name: SOURCE_CODE_DIR
+      value: source
     - name: CONTEXT
       value: $(params.CONTEXT)
     - name: DOCKERFILE
@@ -268,7 +270,6 @@ spec:
         update-ca-trust
       fi
 
-      SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
         dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
       elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -467,6 +468,7 @@ spec:
           -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
           -e STORAGE_DRIVER="$STORAGE_DRIVER" \
           -e HERMETIC="$HERMETIC" \
+          -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
           -e CONTEXT="$CONTEXT" \
           -e DOCKERFILE="$DOCKERFILE" \
           -e IMAGE="$IMAGE" \
@@ -544,9 +546,9 @@ spec:
         export IMAGE
       fi
       echo "Running syft on the source directory"
-      syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+      syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
index 96561dfd7..c1cc7f5f0 100644
--- a/task/buildah/0.2/buildah.yaml
+++ b/task/buildah/0.2/buildah.yaml
@@ -130,6 +130,8 @@ spec:
       value: $(params.STORAGE_DRIVER)
     - name: HERMETIC
       value: $(params.HERMETIC)
+    - name: SOURCE_CODE_DIR
+      value: source
     - name: CONTEXT
       value: $(params.CONTEXT)
     - name: DOCKERFILE
@@ -188,7 +190,6 @@ spec:
         update-ca-trust
       fi
 
-      SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
         dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
       elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -408,9 +409,9 @@ spec:
         cpu: 500m
     script: |
       echo "Running syft on the source directory"
-      syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+      syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers