From e43916fe8d5bd0c4c996745c1ff9fee9f02a8c1e Mon Sep 17 00:00:00 2001
From: arewm <arewm@users.noreply.github.com>
Date: Thu, 26 Sep 2024 15:03:52 -0400
Subject: [PATCH] fix(KFLUXBUGS-1666): Only analyze build context for
 dependencies

When generating the SBOM, we do not constrain the source analysis to the
build context. This can result in many additional dependencies being
included than should be.

Signed-off-by: arewm <arewm@users.noreply.github.com>
---
 task/buildah-oci-ta/0.2/buildah-oci-ta.yaml               | 7 ++++---
 task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 8 +++++---
 task/buildah-remote/0.2/buildah-remote.yaml               | 8 +++++---
 task/buildah/0.2/buildah.yaml                             | 7 ++++---
 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
index 133df7524f..a850096f11 100644
--- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
+++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -195,6 +195,8 @@ spec:
         value: $(params.IMAGE_EXPIRES_AFTER)
       - name: SKIP_UNUSED_STAGES
         value: $(params.SKIP_UNUSED_STAGES)
+      - name: SOURCE_CODE_DIR
+        value: source
       - name: SQUASH
         value: $(params.SQUASH)
       - name: STORAGE_DRIVER
@@ -251,7 +253,6 @@ spec:
           update-ca-trust
         fi
 
-        SOURCE_CODE_DIR=source
         if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
           dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
         elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -459,9 +460,9 @@ spec:
           name: shared
       script: |
         echo "Running syft on the source directory"
-        syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
+        syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
         echo "Running syft on the image filesystem"
-        syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
+        syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
       computeResources:
         limits:
           cpu: "2"
diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
index 24743cc0b1..538aa93464 100644
--- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
+++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
@@ -176,6 +176,8 @@ spec:
       value: $(params.IMAGE_EXPIRES_AFTER)
     - name: SKIP_UNUSED_STAGES
       value: $(params.SKIP_UNUSED_STAGES)
+    - name: SOURCE_CODE_DIR
+      value: source
     - name: SQUASH
       value: $(params.SQUASH)
     - name: STORAGE_DRIVER
@@ -286,7 +288,6 @@ spec:
         update-ca-trust
       fi
 
-      SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
         dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
       elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -494,6 +495,7 @@ spec:
           -e IMAGE="$IMAGE" \
           -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
           -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
+          -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
           -e SQUASH="$SQUASH" \
           -e STORAGE_DRIVER="$STORAGE_DRIVER" \
           -e TARGET_STAGE="$TARGET_STAGE" \
@@ -562,9 +564,9 @@ spec:
         export IMAGE
       fi
       echo "Running syft on the source directory"
-      syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json
+      syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:$(cat /shared/container_path) --output cyclonedx-json=/var/workdir/sbom-image.json
+      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml
index 2d5a682359..eaf91fe796 100644
--- a/task/buildah-remote/0.2/buildah-remote.yaml
+++ b/task/buildah-remote/0.2/buildah-remote.yaml
@@ -149,6 +149,8 @@ spec:
       value: $(params.STORAGE_DRIVER)
     - name: HERMETIC
       value: $(params.HERMETIC)
+    - name: SOURCE_CODE_DIR
+      value: source
     - name: CONTEXT
       value: $(params.CONTEXT)
     - name: DOCKERFILE
@@ -268,7 +270,6 @@ spec:
         update-ca-trust
       fi
 
-      SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
         dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
       elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -467,6 +468,7 @@ spec:
           -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
           -e STORAGE_DRIVER="$STORAGE_DRIVER" \
           -e HERMETIC="$HERMETIC" \
+          -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
           -e CONTEXT="$CONTEXT" \
           -e DOCKERFILE="$DOCKERFILE" \
           -e IMAGE="$IMAGE" \
@@ -544,9 +546,9 @@ spec:
         export IMAGE
       fi
       echo "Running syft on the source directory"
-      syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+      syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers
diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
index 96561dfd76..c1cc7f5f07 100644
--- a/task/buildah/0.2/buildah.yaml
+++ b/task/buildah/0.2/buildah.yaml
@@ -130,6 +130,8 @@ spec:
       value: $(params.STORAGE_DRIVER)
     - name: HERMETIC
       value: $(params.HERMETIC)
+    - name: SOURCE_CODE_DIR
+      value: source
     - name: CONTEXT
       value: $(params.CONTEXT)
     - name: DOCKERFILE
@@ -188,7 +190,6 @@ spec:
         update-ca-trust
       fi
 
-      SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
         dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
       elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
@@ -408,9 +409,9 @@ spec:
         cpu: 500m
     script: |
       echo "Running syft on the source directory"
-      syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+      syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json"
       echo "Running syft on the image filesystem"
-      syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+      syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="$(workspaces.source.path)/sbom-image.json"
     volumeMounts:
     - mountPath: /var/lib/containers
       name: varlibcontainers