Added attestation for Gosu

Author: LaurentGoderre

.gitignore

@@ -1 +1,2 @@
 .jq-template.awk
+.template-helper-functions.jq

5.7/Dockerfile.oracle

@@ -13,6 +13,13 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then
 	wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk'
 fi
 
+jqf='.template-helper-functions.jq'
+if [ -n "${BASHBREW_SCRIPTS:-}" ]; then
+	jqf="$BASHBREW_SCRIPTS/template-helper-functions.jq"
+elif [ "$BASH_SOURCE" -nt "$jqf" ]; then
+	wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq'
+fi
+
 if [ "$#" -eq 0 ]; then
 	versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)"
 	eval "set -- $versions"

8.0/Dockerfile.debian

@@ -29,7 +29,8 @@ RUN set -eux; \
 	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
 	chmod +x /usr/local/bin/gosu; \
 	gosu --version; \
-	gosu nobody true
+	gosu nobody true; \
+	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"gosu-sbom","packages":[{"name":"gosu","versionInfo":"1.16","SPDXID":"SPDXRef-Package--gosu","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/[email protected]?os_name=oraclelinux&os_version=8-slim"}],"licenseDeclared":"Apache-2.0"}]}' > /usr/local/gosu.spdx.json
 
 RUN set -eux; \
 	microdnf install -y \

8.0/Dockerfile.oracle

@@ -1,3 +1,4 @@
+{{ include ".template-helper-functions" -}}
 FROM debian:{{ .debian.suite }}-slim
 
 # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
@@ -7,7 +8,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends gnupg && rm -rf
 
 # add gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION {{ .gosu.version }}
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -26,7 +27,20 @@ RUN set -eux; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	chmod +x /usr/local/bin/gosu; \
 	gosu --version; \
-	gosu nobody true
+	gosu nobody true; \
+	echo {{
+		{
+			name: "gosu",
+			version: .gosu.version,
+			params: {
+				os_name: "debian",
+				os_version: .debian.suite
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring | @sh
+	}} > /usr/local/gosu.spdx.json
 
 RUN mkdir /docker-entrypoint-initdb.d
 

apply-templates.sh

@@ -1,4 +1,5 @@
 {{
+	include ".template-helper-functions";
 	def dnf:
 		if .oracle.variant | startswith("7") then
 			"yum"
@@ -21,7 +22,7 @@ RUN set -eux; \
 
 # add gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION {{ .gosu.version }}
 RUN set -eux; \
 # TODO find a better userspace architecture detection method than querying the kernel
 	arch="$(uname -m)"; \
@@ -38,7 +39,20 @@ RUN set -eux; \
 	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
 	chmod +x /usr/local/bin/gosu; \
 	gosu --version; \
-	gosu nobody true
+	gosu nobody true; \
+	echo {{
+		{
+			name: "gosu",
+			version: .gosu.version,
+			params: {
+				os_name: "oraclelinux",
+				os_version: .oracle.variant
+			},
+			licenses: [
+				"Apache-2.0"
+			]
+		} | sbom | tostring | @sh
+	}} > /usr/local/gosu.spdx.json
 
 RUN set -eux; \
 {{ if .oracle.variant | startswith("7") then ( -}}

innovation/Dockerfile.oracle

@@ -1,5 +1,8 @@
 {
   "5.7": {
+    "gosu": {
+      "version": "1.16"
+    },
     "mysql-shell": {
       "version": "8.0.34-1.el7"
     },
@@ -20,6 +23,9 @@
       "suite": "bullseye",
       "version": "8.0.34-1debian11"
     },
+    "gosu": {
+      "version": "1.16"
+    },
     "mysql-shell": {
       "version": "8.0.34-1.el8"
     },
@@ -34,6 +40,9 @@
     "version": "8.0.34"
   },
   "innovation": {
+    "gosu": {
+      "version": "1.16"
+    },
     "mysql-shell": {
       "version": "8.0.34-1.el8"
     },

template/Dockerfile.debian

@@ -17,6 +17,8 @@ declare -A bashbrewArchToRpmArch=(
 	[arm64v8]='aarch64'
 )
 
+gosuVersion='1.16'
+
 fetch_rpm_versions() {
 	local repo="$1"; shift
 	local arch="$1"; shift
@@ -144,7 +146,7 @@ for version in "${versions[@]}"; do
 		echo >&2 "error: Oracle and Debian version mismatch! ('$oracleBaseVersion' vs '$baseVersion')"
 		exit 1
 	fi
-	export baseVersion rpmVersion shellVersion oracleVariant
+	export baseVersion rpmVersion shellVersion oracleVariant gosuVersion
 	doc="$(jq <<<"$doc" -c '
 		. += {
 			version: env.baseVersion,
@@ -155,6 +157,9 @@ for version in "${versions[@]}"; do
 			"mysql-shell": {
 				version: env.shellVersion,
 			},
+			"gosu": {
+				version: env.gosuVersion
+			}
 		}
 	')"