Skip to content

Commit fb03f29

Browse files
authored
Merge pull request #83 from chainguard-demo/jprince-cgl-review
Walked through and verified, provided additional commands/adjustments…
2 parents f4aeaca + 4a86805 commit fb03f29

2 files changed

Lines changed: 30 additions & 10 deletions

File tree

chainguard-libraries/java/readme.md

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,11 +63,12 @@ For this demo all builds will use **containerized environments** to avoid needin
6363

6464
## 🧰 Prerequisites
6565

66-
- **chainctl** is installed and user has access to the chainguard org with java ecosystem entitlements. NOTE: The user must have the `libraries.java.pull` role in order to access libraries from `https://libraries.cgr.dev/maven/` e.g. `owner` role. Chainctl install docs can be found [here](https://edu.chainguard.dev/chainguard/chainctl-usage/how-to-install-chainctl/)
66+
- **chainctl** is installed and user has access to the chainguard org with java ecosystem entitlements.
67+
> NOTE: The user must have the `libraries.java.pull` role in order to access libraries from `https://libraries.cgr.dev/maven/` e.g. `owner` role. Chainctl install docs can be found [here](https://edu.chainguard.dev/chainguard/chainctl-usage/how-to-install-chainctl/)
6768
- **chainctl** CLI tool to scan artifacts. chainctl install docs can be found [here](https://edu.chainguard.dev/chainguard/chainctl-usage/how-to-install-chainctl/)
6869
- **jq** installed for JSON parsing
6970
- A **Chainguard organization name** (e.g. `myorg.com`) that has Java ecosystem entitlements.
70-
- Network Access to `libraries.cgr.dev/maven/`
71+
- Network Access to `https://libraries.cgr.dev/maven/`
7172
- Docker installed to run images
7273
---
7374

@@ -96,6 +97,9 @@ It provides a baseline for functionality and scanning before any Chainguard cont
9697
View the Java dependencies in the pom file:
9798

9899
```bash
100+
# Change Directory into the step1-orig folder
101+
cd cs-workshop/chainguard-libraries/java/step1-orig
102+
99103
# Print only the <dependencies> section from pom.xml to see what the app depends on.
100104
awk '/<dependencies>/,/<\/dependencies>/' pom.xml
101105
```
@@ -274,6 +278,7 @@ docker build \
274278
```bash
275279
# Start the app using the Chainguard-built container.
276280
docker run -d -p 8081:8080 --name java-lib-example-1 java-lib-example:$TAG
281+
sleep 3
277282
curl http://localhost:8081
278283

279284
# Copy the JAR so that we can scan it with chainctl.
@@ -328,6 +333,8 @@ This removes temporary tokens, images, and jar artifacts created during the work
328333
ID=$(chainctl iam ids ls --parent="$ORG_NAME" -o json | jq -r --arg name "$TOKEN_NAME" '.items[] | select(.name | startswith($name)) | .id')
329334
chainctl iam identities delete "$ID" --parent "$ORG_NAME" --yes
330335

336+
# Remove the Docker images that were created
337+
docker image ls | grep java-lib-example | awk '{print $3}' | xargs docker image rm $1
331338
```
332339
---
333340

chainguard-libraries/python/readme.md

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,8 @@ We’ll work through three stages:
5656
Demonstrate how to view Provenance details for Chainguard Python Libraries.
5757

5858

59-
For this demo all builds will use **containerized environments** to avoid needing to have a local python setup. We will also be using `uv` instead of `pip` to install python dependencies since it is faster, and also preserves repo precedence when doing builds with Chainguard Libraries. **Note:** It is NOT recommended to use pip when pulling python dependencies directly from the Chainguard repo as it doesn't guarantee dependencies will be pull from Chainguard over PyPI.
59+
For this demo all builds will use **containerized environments** to avoid needing to have a local python setup. We will also be using `uv` instead of `pip` to install python dependencies since it is faster, and also preserves repo precedence when doing builds with Chainguard Libraries.
60+
>⚠️ It is NOT recommended to use pip when pulling python dependencies directly from the Chainguard repo as it doesn't guarantee dependencies will be pull from Chainguard over PyPI.
6061
6162
---
6263

@@ -94,6 +95,8 @@ This stage builds and runs a simple Flask app using upstream Python images and d
9495
### 1. Inspect dependencies
9596

9697
```bash
98+
# Change Directory into the step1-orig directory
99+
cd cs-workshop/chainguard-libraries/python/step1-orig
97100
# Review the dependencies used by the application.
98101
cat requirements.txt
99102
```
@@ -120,7 +123,9 @@ RUNTIME_IMAGE="${UPSTREAM_PYTHON_IMAGE}-slim"
120123

121124
```bash
122125
# Build the app using the upstream Maven builder and Temurin runtime.
123-
docker build --build-arg BUILDER_IMAGE=$BUILDER_IMAGE --build-arg RUNTIME_IMAGE=$RUNTIME_IMAGE -t python-lib-example:$TAG .
126+
docker build --build-arg BUILDER_IMAGE=$BUILDER_IMAGE \
127+
--build-arg RUNTIME_IMAGE=$RUNTIME_IMAGE \
128+
-t python-lib-example:$TAG .
124129
```
125130

126131
### 5. Run and test
@@ -134,7 +139,7 @@ curl -F "file=@linky.png" http://127.0.0.1:5055/upload
134139
```
135140

136141
### 6. Scan with chainctl
137-
In this step we will use chainctl to scan the venv directory to determine how many dependencies came from Chainguard repo vs. upstream PyPI since we haven't built with the Chainguard repo yet we expect the output to be 0%.
142+
In this step we will use chainctl to scan the venv directory to determine how many dependencies came from Chainguard repo vs. upstream PyPI. Since we haven't built with the Chainguard repo yet we expect the output to be 0%.
138143

139144
```bash
140145
# Copy the virtual environment from the container for scanning.
@@ -163,7 +168,7 @@ After the build, you’ll scan to verify that dependencies now originate from Ch
163168
```bash
164169
# Request a Chainguard library token for the Java ecosystem.
165170
CREDS_OUTPUT=$(chainctl auth pull-token \
166-
--library-ecosystem="${ECOSYSTEM}"
171+
--repository="${ECOSYSTEM}" \
167172
--parent="${ORG_NAME}" \
168173
--name="${TOKEN_NAME}" \
169174
--ttl="${TTL}" -o json)
@@ -207,11 +212,12 @@ BUILDER_IMAGE="$UPSTREAM_PYTHON_IMAGE"
207212
RUNTIME_IMAGE="${UPSTREAM_PYTHON_IMAGE}-slim"
208213

209214
# Build the image:
210-
docker build \
215+
docker build \
211216
--build-arg BUILDER_IMAGE=$BUILDER_IMAGE \
212217
--build-arg RUNTIME_IMAGE=$RUNTIME_IMAGE \
213-
--secret id=pip_conf,src=./pip.conf \
214-
-t python-lib-example:$TAG -f ../step2-cg-build/Dockerfile .
218+
--secret id=netrc,src=./.netrc \
219+
-t python-lib-example:$TAG \
220+
-f ../step2-cg-build/Dockerfile .
215221
```
216222

217223
### 5. Run, test, and scan
@@ -299,7 +305,11 @@ Each Chainguard-built dependency includes an SBOM under
299305

300306
Inspect provenance for a specific package, note that the SBOM indicates that the dependency was built by Chainguard, and the git url and commit hash can be verified.
301307
```bash
302-
jq '{spdxVersion, dataLicense, SPDXID, name, documentNamespace, creationInfo, packages: [.packages[0]]}' venv/lib/python3.13/site-packages/flask-3.0.2.dist-info/sboms/sbom.spdx.json | jq .
308+
# Account for python version updates down the road
309+
CGR_PYTHON_VERSION=$(docker exec python-lib-example python --version | awk '{print $2}' | cut -d . -f1,2)
310+
311+
# Use JQ to read the sbom file
312+
jq '{spdxVersion, dataLicense, SPDXID, name, documentNamespace, creationInfo, packages: [.packages[0]]}' venv/lib/${CGR_PYTHON_VERSION}/site-packages/flask-3.0.2.dist-info/sboms/sbom.spdx.json | jq .
303313
```
304314

305315

@@ -322,6 +332,9 @@ chainctl iam identities delete "$ID" --parent "$ORG_NAME" --yes
322332

323333
# Remove the pip.conf file
324334
rm .netrc
335+
336+
# Remove the Docker images that were created
337+
docker image ls | grep python-lib-example | awk '{print $3}' | xargs docker image rm $1
325338
```
326339

327340
---

0 commit comments

Comments
 (0)