forked from fossas/spectrometer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vendor_download.sh
executable file
·141 lines (120 loc) · 4.39 KB
/
vendor_download.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/usr/bin/env bash
#
# Requires environment variables:
# GITHUB_TOKEN A token with access to the fossas/basis repository
#
# Requires binary dependencies in $PATH:
# jq Parse and manipulate json structures.
# curl Download data over HTTP(s)
# sed Modify syft tag
# upx Compress binaries (optional)
#
set -e
if [ -z "$GITHUB_TOKEN" ]; then
echo "Provide your GITHUB_TOKEN in the environment"
exit 1
fi
rm -f vendor/*
mkdir -p vendor
ASSET_POSTFIX=""
OS_WINDOWS=false
case "$(uname -s)" in
Darwin)
ASSET_POSTFIX="darwin"
;;
Linux)
ASSET_POSTFIX="linux"
;;
*)
echo "Warn: Assuming $(uname -s) is Windows"
ASSET_POSTFIX="windows.exe"
OS_WINDOWS=true
;;
esac
TAG="latest"
echo "Downloading asset information from latest tag for architecture '$ASSET_POSTFIX'"
WIGGINS_TAG="2021-07-16-39ef825"
echo "Downloading wiggins binary"
echo "Using wiggins release: $WIGGINS_TAG"
WIGGINS_RELEASE_JSON=vendor/wiggins-release.json
curl -sSL \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3.raw" \
api.github.com/repos/fossas/basis/releases/tags/$WIGGINS_TAG > $WIGGINS_RELEASE_JSON
WIGGINS_TAG=$(jq -cr ".name" $WIGGINS_RELEASE_JSON)
FILTER=".name == \"wiggins-$ASSET_POSTFIX\""
jq -c ".assets | map({url: .url, name: .name}) | map(select($FILTER)) | .[]" $WIGGINS_RELEASE_JSON | while read ASSET; do
URL="$(echo $ASSET | jq -c -r '.url')"
NAME="$(echo $ASSET | jq -c -r '.name')"
OUTPUT=vendor/${NAME%"-$ASSET_POSTFIX"}
echo "Downloading '$NAME' to '$OUTPUT'"
curl -sL -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/octet-stream" -s $URL > $OUTPUT
done
rm $WIGGINS_RELEASE_JSON
echo "Wiggins download successful"
echo
if $OS_WINDOWS; then
echo "Skipping syft for Windows builds"
touch vendor/syft
else
echo "Downloading forked syft binary"
SYFT_RELEASE_JSON=vendor/syft-release.json
curl -sSL \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3.raw" \
api.github.com/repos/fossas/syft/releases/latest > $SYFT_RELEASE_JSON
# Remove leading 'v' from version tag
# 'v123' -> '123'
SYFT_TAG=$(jq -cr '.name' $SYFT_RELEASE_JSON | sed 's/^v//')
echo "Using fossas/syft release: $SYFT_TAG"
FILTER=".name == \"container-scanning_${SYFT_TAG}_${ASSET_POSTFIX}_amd64.tar.gz\""
jq -c ".assets | map({url: .url, name: .name}) | map(select($FILTER)) | .[]" $SYFT_RELEASE_JSON | while read ASSET; do
URL="$(echo $ASSET | jq -c -r '.url')"
NAME="$(echo $ASSET | jq -c -r '.name')"
OUTPUT=vendor/${NAME%"-$ASSET_POSTFIX"}
echo "Downloading '$NAME' to '$OUTPUT'"
curl -sL -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/octet-stream" -s $URL > $OUTPUT
echo "Extracting syft binary from tarball"
tar xzf $OUTPUT fossa-container-scanning
mv fossa-container-scanning vendor/syft
rm $OUTPUT
done
rm $SYFT_RELEASE_JSON
echo "Forked Syft download successful"
fi
if $OS_WINDOWS; then
echo "Skipping cliv1 for Windows builds"
touch vendor/cliv1
else
echo ""
echo "Downloading cliv1 binary"
CLIV1_RELEASE_JSON=vendor/cliv1-release.json
curl -sSL \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3.raw" \
api.github.com/repos/fossas/fossa-cli/releases/latest > $CLIV1_RELEASE_JSON
# Remove leading 'v' from version tag
# 'v123' -> '123'
CLIV1_TAG=$(jq -cr '.name' $CLIV1_RELEASE_JSON | sed 's/^v//')
echo "Using fossas/fossa-cli release: $CLIV1_TAG"
FILTER=".name == \"fossa-cli_${CLIV1_TAG}_${ASSET_POSTFIX}_amd64.tar.gz\""
jq -c ".assets | map({url: .url, name: .name}) | map(select($FILTER)) | .[]" $CLIV1_RELEASE_JSON | while read ASSET; do
URL="$(echo $ASSET | jq -c -r '.url')"
NAME="$(echo $ASSET | jq -c -r '.name')"
OUTPUT=vendor/${NAME%"-$ASSET_POSTFIX"}
echo "Downloading '$NAME' to '$OUTPUT'"
curl -sL -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/octet-stream" -s $URL > $OUTPUT
echo "Extracting cliv1 binary from tarball"
tar xzf $OUTPUT fossa
mv fossa vendor/cliv1
rm $OUTPUT
done
rm $CLIV1_RELEASE_JSON
echo "CLI v1 download successful"
fi
echo "Marking binaries executable"
chmod +x vendor/*
echo "Compressing binaries"
upx vendor/* || echo "WARN: 'upx' command not found, binaries will not be compressed"
echo "Vendored binaries are ready for use"
ls -lh vendor/