|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +set -euo pipefail |
| 4 | + |
| 5 | +usage() { |
| 6 | + echo "Usage: $0 <image1> <image2> [artifact-type...]" |
| 7 | + echo "Scans two container images with syft and diffs the packages." |
| 8 | + echo "Outputs JSON with 'added', 'removed' and 'changed' packages." |
| 9 | + echo "Optional artifact types filter packages (e.g., apk deb rpm python)." |
| 10 | + exit 1 |
| 11 | +} |
| 12 | + |
| 13 | +if [ $# -lt 2 ]; then |
| 14 | + usage |
| 15 | +fi |
| 16 | + |
| 17 | +# Check we have the required tools installed to run the script |
| 18 | +cmds=" |
| 19 | + crane |
| 20 | + jq |
| 21 | + syft |
| 22 | +" |
| 23 | +missing_cmds="" |
| 24 | +for cmd in ${cmds}; do |
| 25 | + if ! command -v "${cmd}" &> /dev/null; then |
| 26 | + missing_cmds+="${cmd} " |
| 27 | + fi |
| 28 | +done |
| 29 | +if [[ -n "${missing_cmds}" ]]; then |
| 30 | + echo "Missing required commands: ${missing_cmds}" >&2 |
| 31 | + exit 1 |
| 32 | +fi |
| 33 | + |
| 34 | +# Resolve the images to a digest so we can be sure which images we're scanning |
| 35 | +image1=$(crane digest --full-ref "${1}") |
| 36 | +image2=$(crane digest --full-ref "${2}") |
| 37 | + |
| 38 | +shift 2 |
| 39 | + |
| 40 | +# Remaining arguments are artifact types. Convert them to a json array for jq. |
| 41 | +artifact_types='[]' |
| 42 | +if [ $# -gt 0 ]; then |
| 43 | + artifact_types=$(printf '"%s"\n' "${@}" | jq -s .) |
| 44 | +fi |
| 45 | + |
| 46 | +# Save output files to a tempdir |
| 47 | +tmpdir=$(mktemp -d) |
| 48 | +trap "rm -rf ${tmpdir}" EXIT |
| 49 | +sbom1="${tmpdir}/image1-sbom.json" |
| 50 | +sbom2="${tmpdir}/image2-sbom.json" |
| 51 | + |
| 52 | +# Generate SBOMs for each image with syft |
| 53 | +echo "Generating SBOM for $image1 with syft..." >&2 |
| 54 | +syft "$image1" -o syft-json > "$sbom1" |
| 55 | + |
| 56 | +echo "Generating SBOM for $image2 with syft..." >&2 |
| 57 | +syft "$image2" -o syft-json > "$sbom2" |
| 58 | + |
| 59 | +# Diff the sboms with jq |
| 60 | +echo "Calculating diff..." >&2 |
| 61 | +jq -n -s \ |
| 62 | + --slurpfile sbom1 "$sbom1" \ |
| 63 | + --slurpfile sbom2 "$sbom2" \ |
| 64 | + --argjson artifact_types "$artifact_types" ' |
| 65 | +# Extract packages from a syft-json SBOM |
| 66 | +def extract_packages(sbom): |
| 67 | + sbom[0].artifacts | |
| 68 | + (if ($artifact_types | length) > 0 then map(select(.type as $t | $artifact_types | index($t))) else . end) | |
| 69 | + map( |
| 70 | + { |
| 71 | + purl: .purl, |
| 72 | + name: .name, |
| 73 | + version: .version, |
| 74 | + type: .type |
| 75 | + } |
| 76 | + ) | |
| 77 | + unique_by(.purl) | |
| 78 | + sort_by(.purl); |
| 79 | +
|
| 80 | +# Create a normalized purl we can compare by removing the version. |
| 81 | +def normalized_purl(purl): |
| 82 | + purl | gsub("@[^?]*";"@0.0.0"); |
| 83 | +
|
| 84 | +# Identify that packages that have been added, removed and changed between the |
| 85 | +# two lists of packages. |
| 86 | +def diff_packages(old; new): |
| 87 | + { |
| 88 | + added: ( |
| 89 | + new | |
| 90 | + map(select(normalized_purl(.purl) as $p | (old | map(normalized_purl(.purl))) | index($p) | not)) |
| 91 | + ), |
| 92 | + removed: ( |
| 93 | + old | |
| 94 | + map(select(normalized_purl(.purl) as $np | (new | map(normalized_purl(.purl))) | index($np) | not)) |
| 95 | + ), |
| 96 | + changed: ([ |
| 97 | + new[] as $new_pkg | |
| 98 | + old[] as $old_pkg | |
| 99 | + select(normalized_purl($new_pkg.purl) == normalized_purl($old_pkg.purl) and $new_pkg.version != $old_pkg.version) | |
| 100 | + { |
| 101 | + name: $new_pkg.name, |
| 102 | + type: $new_pkg.type, |
| 103 | + current: { |
| 104 | + version: $new_pkg.version, |
| 105 | + reference: $new_pkg.purl |
| 106 | + }, |
| 107 | + previous: { |
| 108 | + version: $old_pkg.version, |
| 109 | + reference: $old_pkg.purl |
| 110 | + } |
| 111 | + } |
| 112 | + ]) |
| 113 | + }; |
| 114 | +
|
| 115 | +diff_packages(extract_packages($sbom1); extract_packages($sbom2)) |
| 116 | +' |
0 commit comments