2022-08-03 22:36:13 +02:00
|
|
|
# syntax=docker/dockerfile:1
|
2020-08-17 16:20:02 +02:00
|
|
|
|
|
|
|
|
|
2020-09-22 12:13:00 +02:00
|
|
|
# Copyright 2020 Docker Compose CLI authors
|
2020-06-18 16:13:24 +02:00
|
|
|
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
2020-09-22 12:13:00 +02:00
|
|
|
|
update to go1.21.1
go1.21.1 (released 2023-09-06) includes four security fixes to the cmd/go,
crypto/tls, and html/template packages, as well as bug fixes to the compiler,
the go command, the linker, the runtime, and the context, crypto/tls,
encoding/gob, encoding/xml, go/types, net/http, os, and path/filepath packages.
See the Go 1.21.1 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.21.1+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.21.0...go1.21.1
From the security mailing:
[security] Go 1.21.1 and Go 1.20.8 are released
Hello gophers,
We have just released Go versions 1.21.1 and 1.20.8, minor point releases.
These minor releases include 4 security fixes following the security policy:
- cmd/go: go.mod toolchain directive allows arbitrary execution
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.
- html/template: improper handling of HTML-like comments within script contexts
The html/template package did not properly handle HMTL-like "<!--" and "-->"
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.
- html/template: improper handling of special tags within script contexts
The html/template package did not apply the proper rules for handling occurrences
of "<script", "<!--", and "</script" within JS literals in <script> contexts.
This may cause the template parser to improperly consider script contexts to be
terminated early, causing actions to be improperly escaped. This could be
leveraged to perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.
- crypto/tls: panic when processing post-handshake message on QUIC connections
Processing an incomplete post-handshake message for a QUIC connection caused a panic.
Thanks to Marten Seemann for reporting this issue.
This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-14 09:27:06 +02:00
|
|
|
ARG GO_VERSION=1.21.1
|
2023-04-04 21:10:01 +02:00
|
|
|
ARG XX_VERSION=1.2.1
|
2023-08-21 20:52:13 +02:00
|
|
|
ARG GOLANGCI_LINT_VERSION=v1.54.2
|
2022-08-12 15:05:52 +02:00
|
|
|
ARG ADDLICENSE_VERSION=v1.0.0
|
|
|
|
|
|
2023-01-09 12:37:55 +01:00
|
|
|
ARG BUILD_TAGS="e2e"
|
2022-08-12 15:05:52 +02:00
|
|
|
ARG DOCS_FORMATS="md,yaml"
|
|
|
|
|
ARG LICENSE_FILES=".*\(Dockerfile\|Makefile\|\.go\|\.hcl\|\.sh\)"
|
|
|
|
|
|
|
|
|
|
# xx is a helper for cross-compilation
|
|
|
|
|
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:${XX_VERSION} AS xx
|
|
|
|
|
|
2023-02-07 14:57:45 +01:00
|
|
|
# osxcross contains the MacOSX cross toolchain for xx
|
|
|
|
|
FROM crazymax/osxcross:11.3-alpine AS osxcross
|
|
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
|
|
|
|
|
FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense
|
|
|
|
|
|
|
|
|
|
FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS base
|
|
|
|
|
COPY --from=xx / /
|
|
|
|
|
RUN apk add --no-cache \
|
2023-02-07 14:57:45 +01:00
|
|
|
clang \
|
2022-08-12 15:05:52 +02:00
|
|
|
docker \
|
|
|
|
|
file \
|
2023-01-30 11:58:55 +01:00
|
|
|
findutils \
|
2022-08-12 15:05:52 +02:00
|
|
|
git \
|
2022-08-26 22:06:24 +02:00
|
|
|
make \
|
2022-08-12 15:05:52 +02:00
|
|
|
protoc \
|
|
|
|
|
protobuf-dev
|
|
|
|
|
WORKDIR /src
|
|
|
|
|
ENV CGO_ENABLED=0
|
|
|
|
|
|
|
|
|
|
FROM base AS build-base
|
2020-05-29 11:30:12 +02:00
|
|
|
COPY go.* .
|
2020-09-23 17:13:27 +02:00
|
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
2021-05-19 16:59:21 +02:00
|
|
|
--mount=type=cache,target=/root/.cache/go-build \
|
2020-09-23 17:13:27 +02:00
|
|
|
go mod download
|
2020-05-04 23:49:40 +02:00
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM build-base AS vendored
|
|
|
|
|
RUN --mount=type=bind,target=.,rw \
|
2020-09-23 17:13:27 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-08-12 15:05:52 +02:00
|
|
|
go mod tidy && mkdir /out && cp go.mod go.sum /out
|
|
|
|
|
|
|
|
|
|
FROM scratch AS vendor-update
|
|
|
|
|
COPY --from=vendored /out /
|
|
|
|
|
|
|
|
|
|
FROM vendored AS vendor-validate
|
|
|
|
|
RUN --mount=type=bind,target=.,rw <<EOT
|
|
|
|
|
set -e
|
|
|
|
|
git add -A
|
|
|
|
|
cp -rf /out/* .
|
|
|
|
|
diff=$(git status --porcelain -- go.mod go.sum)
|
|
|
|
|
if [ -n "$diff" ]; then
|
|
|
|
|
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make go-mod-tidy"'
|
|
|
|
|
echo "$diff"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
FROM build-base AS build
|
2020-06-15 17:41:59 +02:00
|
|
|
ARG BUILD_TAGS
|
2023-03-10 10:08:24 +01:00
|
|
|
ARG BUILD_FLAGS
|
2022-08-12 15:05:52 +02:00
|
|
|
ARG TARGETPLATFORM
|
|
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2020-09-23 17:13:27 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2023-02-07 14:57:45 +01:00
|
|
|
--mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
|
|
|
|
|
xx-go --wrap && \
|
|
|
|
|
if [ "$(xx-info os)" == "darwin" ]; then export CGO_ENABLED=1; fi && \
|
2023-06-08 20:58:21 +02:00
|
|
|
make build GO_BUILDTAGS="$BUILD_TAGS" DESTDIR=/out && \
|
|
|
|
|
xx-verify --static /out/docker-compose
|
2021-05-27 12:10:37 +02:00
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM build-base AS lint
|
|
|
|
|
ARG BUILD_TAGS
|
2023-08-21 20:52:13 +02:00
|
|
|
ENV GOLANGCI_LINT_CACHE=/cache/golangci-lint
|
2022-08-12 15:05:52 +02:00
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2023-07-10 18:26:16 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2023-08-21 20:52:13 +02:00
|
|
|
--mount=type=cache,target=/cache/golangci-lint \
|
2022-08-12 15:05:52 +02:00
|
|
|
--mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
|
2023-08-21 20:52:13 +02:00
|
|
|
golangci-lint cache status && \
|
2022-08-12 15:05:52 +02:00
|
|
|
golangci-lint run --build-tags "$BUILD_TAGS" ./...
|
2020-04-22 10:04:11 +02:00
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM build-base AS test
|
|
|
|
|
ARG CGO_ENABLED=0
|
2020-07-07 15:48:09 +02:00
|
|
|
ARG BUILD_TAGS
|
2022-08-12 15:05:52 +02:00
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2020-09-23 17:13:27 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2023-06-08 20:58:21 +02:00
|
|
|
rm -rf /tmp/coverage && \
|
|
|
|
|
mkdir -p /tmp/coverage && \
|
|
|
|
|
go test -tags "$BUILD_TAGS" -v -cover -covermode=atomic $(go list $(TAGS) ./... | grep -vE 'e2e') -args -test.gocoverdir="/tmp/coverage" && \
|
|
|
|
|
go tool covdata percent -i=/tmp/coverage
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
|
FROM scratch AS test-coverage
|
2023-06-08 20:58:21 +02:00
|
|
|
COPY --from=test --link /tmp/coverage /
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
|
FROM base AS license-set
|
|
|
|
|
ARG LICENSE_FILES
|
|
|
|
|
RUN --mount=type=bind,target=.,rw \
|
|
|
|
|
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
|
|
|
|
|
find . -regex "${LICENSE_FILES}" | xargs addlicense -c 'Docker Compose CLI' -l apache && \
|
|
|
|
|
mkdir /out && \
|
|
|
|
|
find . -regex "${LICENSE_FILES}" | cpio -pdm /out
|
|
|
|
|
|
|
|
|
|
FROM scratch AS license-update
|
|
|
|
|
COPY --from=set /out /
|
|
|
|
|
|
|
|
|
|
FROM base AS license-validate
|
|
|
|
|
ARG LICENSE_FILES
|
|
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
|
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
|
|
|
|
|
find . -regex "${LICENSE_FILES}" | xargs addlicense -check -c 'Docker Compose CLI' -l apache -ignore validate -ignore testdata -ignore resolvepath -v
|
|
|
|
|
|
|
|
|
|
FROM base AS docsgen
|
|
|
|
|
WORKDIR /src
|
2020-08-17 15:18:47 +02:00
|
|
|
RUN --mount=target=. \
|
2022-08-12 15:05:52 +02:00
|
|
|
--mount=target=/root/.cache,type=cache \
|
2023-07-10 18:26:16 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-08-12 15:05:52 +02:00
|
|
|
go build -o /out/docsgen ./docs/yaml/main/generate.go
|
|
|
|
|
|
|
|
|
|
FROM --platform=${BUILDPLATFORM} alpine AS docs-build
|
|
|
|
|
RUN apk add --no-cache rsync git
|
|
|
|
|
WORKDIR /src
|
|
|
|
|
COPY --from=docsgen /out/docsgen /usr/bin
|
|
|
|
|
ARG DOCS_FORMATS
|
|
|
|
|
RUN --mount=target=/context \
|
|
|
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
|
|
|
set -e
|
|
|
|
|
rsync -a /context/. .
|
|
|
|
|
docsgen --formats "$DOCS_FORMATS" --source "docs/reference"
|
|
|
|
|
mkdir /out
|
|
|
|
|
cp -r docs/reference /out
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
FROM scratch AS docs-update
|
|
|
|
|
COPY --from=docs-build /out /out
|
|
|
|
|
|
|
|
|
|
FROM docs-build AS docs-validate
|
|
|
|
|
RUN --mount=target=/context \
|
|
|
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
|
|
|
set -e
|
|
|
|
|
rsync -a /context/. .
|
|
|
|
|
git add -A
|
|
|
|
|
rm -rf docs/reference/*
|
|
|
|
|
cp -rf /out/* ./docs/
|
|
|
|
|
if [ -n "$(git status --porcelain -- docs/reference)" ]; then
|
|
|
|
|
echo >&2 'ERROR: Docs result differs. Please update with "make docs"'
|
|
|
|
|
git status --porcelain -- docs/reference
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
FROM scratch AS binary-unix
|
2023-06-08 20:58:21 +02:00
|
|
|
COPY --link --from=build /out/docker-compose /
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM binary-unix AS binary-darwin
|
|
|
|
|
FROM binary-unix AS binary-linux
|
|
|
|
|
FROM scratch AS binary-windows
|
2023-06-08 20:58:21 +02:00
|
|
|
COPY --link --from=build /out/docker-compose /docker-compose.exe
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM binary-$TARGETOS AS binary
|
2023-03-14 11:08:04 +01:00
|
|
|
# enable scanning for this stage
|
|
|
|
|
ARG BUILDKIT_SBOM_SCAN_STAGE=true
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
|
FROM --platform=$BUILDPLATFORM alpine AS releaser
|
|
|
|
|
WORKDIR /work
|
|
|
|
|
ARG TARGETOS
|
|
|
|
|
ARG TARGETARCH
|
|
|
|
|
ARG TARGETVARIANT
|
|
|
|
|
RUN --mount=from=binary \
|
|
|
|
|
mkdir -p /out && \
|
|
|
|
|
# TODO: should just use standard arch
|
|
|
|
|
TARGETARCH=$([ "$TARGETARCH" = "amd64" ] && echo "x86_64" || echo "$TARGETARCH"); \
|
|
|
|
|
TARGETARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "$TARGETARCH"); \
|
2022-08-14 22:29:57 +02:00
|
|
|
cp docker-compose* "/out/docker-compose-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}$(ls docker-compose* | sed -e 's/^docker-compose//')"
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
|
FROM scratch AS release
|
|
|
|
|
COPY --from=releaser /out/ /
|
