Add basic shell utilities to the analyzer image

Igor Frenkelrequested to merge
ifrenkel/update-base-image into main

What does this MR do and why?

Copy basic utilities from the base ubi image to ubi-micro. This change is being made because some versatility is needed for project ci configuration during or after analysis.

For example, users have encountered issues for projects where lock files are not committed. Because the analyzer outputs the file it analyzed (e.g. dependencies.lock vs build.gradle) the repo link in the dependency list is pointing to a non-existent file. The optimal workaround is to update the sbom to point to build.gradle, but because sed, awk, or even curl are not available it's not practically possible to do this update in the job. Users end up having to add a follow-up job to enable this processing.

The downside of this change is increased maintenance surface area and image size.

Image sizes:

  • current: 21.47 MiB
  • image in this MR: 112.89MiB
export image=registry.gitlab.com/security-products/dependency-scanning:v0
skopeo inspect --override-os linux --override-arch amd64 docker://$image | jq '.LayersData|map(.Size)|add/(1024*1024)'
21.466848373413086

export image=registry.gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning:2e30ac570ef4b01244028201b7f94247774a2042
skopeo inspect --override-os linux --override-arch amd64 docker://$image | jq '.LayersData|map(.Size)|add/(1024*1024)'
112.89137363433838

Additional update

This MR updates the base image to use ubi9.

Related issues

Use explicit direct dependencies for dependency... (gitlab-org&16886 - closed) • Igor Frenkel

Enable Static Reachability in the latest DS tem... (gitlab-org/gitlab#523358 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited by Igor Frenkel

Merge request reports