Merge pull request #668 from LaurentGoderre/more-sbom

Added attestation from intermediate multi-stage build steps

3.10/alpine/Dockerfile

@@ -18,6 +18,8 @@ RUN apk add --no-cache \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 # /usr/local/src doesn't exist in Alpine by default
 	mkdir -p /usr/local/src; \

3.10/ubuntu/Dockerfile

@@ -8,6 +8,8 @@
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:22.04 as build-base
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
@@ -19,6 +21,8 @@ RUN set -eux; \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \

3.11/alpine/Dockerfile

@@ -18,6 +18,8 @@ RUN apk add --no-cache \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 # /usr/local/src doesn't exist in Alpine by default
 	mkdir -p /usr/local/src; \

3.11/ubuntu/Dockerfile

@@ -8,6 +8,8 @@
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:22.04 as build-base
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
@@ -19,6 +21,8 @@ RUN set -eux; \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \

3.12/alpine/Dockerfile

@@ -18,6 +18,8 @@ RUN apk add --no-cache \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 # /usr/local/src doesn't exist in Alpine by default
 	mkdir -p /usr/local/src; \

3.12/ubuntu/Dockerfile

@@ -8,6 +8,8 @@
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:22.04 as build-base
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
@@ -19,6 +21,8 @@ RUN set -eux; \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \

3.13-rc/alpine/Dockerfile

@@ -18,6 +18,8 @@ RUN apk add --no-cache \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 # /usr/local/src doesn't exist in Alpine by default
 	mkdir -p /usr/local/src; \

3.13-rc/ubuntu/Dockerfile

@@ -8,6 +8,8 @@
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:22.04 as build-base
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
@@ -19,6 +21,8 @@ RUN set -eux; \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \

3.9/alpine/Dockerfile

@@ -18,6 +18,8 @@ RUN apk add --no-cache \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +113,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 # /usr/local/src doesn't exist in Alpine by default
 	mkdir -p /usr/local/src; \

3.9/ubuntu/Dockerfile

@@ -8,6 +8,8 @@
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:22.04 as build-base
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
@@ -19,6 +21,8 @@ RUN set -eux; \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -111,6 +115,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \

Dockerfile-alpine.template

@@ -12,6 +12,8 @@ RUN apk add --no-cache \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -145,6 +147,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 # /usr/local/src doesn't exist in Alpine by default
 	mkdir -p /usr/local/src; \

Dockerfile-ubuntu.template

@@ -2,6 +2,8 @@
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:{{ .ubuntu.version }} as build-base
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
@@ -13,6 +15,8 @@ RUN set -eux; \
 
 FROM build-base as openssl-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
@@ -145,6 +149,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
 
 FROM openssl-builder as erlang-builder
 
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \