Add very basic initial support for scraping some amount of informatio…

…n out of APK for Alpine-based images
SanSanichSan · Apr 8, 2019 · bdc1ec6 · bdc1ec6
1 parent a2ef66a
commit bdc1ec6
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 0 deletions.
diff --git a/.local-scripts/gather-apk.sh b/.local-scripts/gather-apk.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+_apk() {
+	apk --no-network "$@" 2>/dev/null
+}
+
+IFS=$'\n'
+packages=( $(_apk info | sort) )
+unset IFS
+
+if [ "${#packages[@]}" -eq 0 ]; then
+	# not Alpine-based?
+	exit 1
+fi
+
+echo
+echo '## `apk` (`.apk`-based packages)'
+
+# prints "$2$1$3$1...$N"
+join() {
+	local sep="$1"; shift
+	local out; printf -v out "${sep//%/%%}%s" "$@"
+	echo "${out#$sep}"
+}
+
+for pkg in "${packages[@]}"; do
+	if [ "${pkg#.}" != "$pkg" ]; then
+		# if package name starts with a period, it's a pretty strong indicator that it's likely a user-created virtual and thus safely ignored for the purposes of this report
+		continue
+	fi
+
+	echo
+	echo '### `apk` package: `'"$pkg"'`'
+
+	# TODO parse this output better somehow (can't find a way to get `apk info` to spit out just the value without the `xyz-VERSION license:` header)
+	echo
+	echo '```console'
+	_apk info \
+		--description \
+		--license \
+		--size \
+		--webpage \
+		"$pkg"
+	echo '```'
+done
diff --git a/.local-scripts/gather.sh b/.local-scripts/gather.sh
@@ -2,5 +2,6 @@
 set -e
 
 prep-env.sh
+gather-apk.sh || :
 gather-dpkg.sh || :
 gather-rpm.sh || :
diff --git a/Dockerfile.local b/Dockerfile.local
@@ -13,6 +13,20 @@ RUN set -eux; \
 	; \
 	rm -rf /var/lib/apt/lists/*
 
+# Alpine-based images need "apk" for data extraction
+RUN set -eux; \
+# https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/apk-tools-static
+	apkStaticDist='v3.9'; \
+	apkStaticVersion='2.10.3-r1'; \
+# TODO convert "dpkg --print-architecture" to Alpine architecture for downloading the correct architecture binary
+	apkStaticArch='x86_64'; \
+	apkStaticUrl="http://dl-cdn.alpinelinux.org/alpine/$apkStaticDist/main/$apkStaticArch/apk-tools-static-$apkStaticVersion.apk"; \
+	wget -O /tmp/apk-tools-static.apk "$apkStaticUrl"; \
+	tar -xzvf /tmp/apk-tools-static.apk -C /usr/local/ --wildcards '*bin/apk.static'; \
+	mv /usr/local/*bin/apk.static /usr/local/bin/apk; \
+	rm /tmp/apk-tools-static.apk; \
+	apk --version
+
 COPY .local-scripts/*.sh /usr/local/bin/
 
 CMD ["gather.sh"]
diff --git a/scan-local.sh b/scan-local.sh
@@ -13,7 +13,9 @@ trap "docker rm -f '$name-data' '$name' > /dev/null || :" EXIT
 docker create \
 	--name "$name-data" \
 	-v /etc \
+	-v /lib/apk \
 	-v /usr/lib/rpm \
+	-v /usr/share/apk \
 	-v /usr/share/doc \
 	-v /var/lib \
 	"$image" \