feat: grant check

grant check adds the ability for the program to take an image or SBOM
and provide a license compliance check based on a provided
configuration

The default configuration denies all licenses so a user running the
command for the first time will see status code 1 as the response

Signed-off-by: Christopher Phillips <[email protected]>

.binny.yaml

@@ -0,0 +1,58 @@
+tools:
+  - name: grant
+    version:
+      want: current
+    method: go-install
+    with:
+      module: .
+      entrypoint: cmd/grant
+
+  - name: binny
+    version:
+      # can be 'main', 'latest', or a specific version
+      want: v0.3.0
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  - name: task
+    version:
+      want: v3.30.1
+    method: github-release
+    with:
+      repo: go-task/task
+
+  - name: gosimports
+    version:
+      want: v0.3.8
+    method: github-release
+    with:
+      repo: rinchsan/gosimports
+
+  - name: golangci-lint
+    version:
+      want: v1.54.2
+    method: github-release
+    with:
+      repo: golangci/golangci-lint
+
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
+  - name: glow
+    version:
+      want: v1.5.1
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  - name: goreleaser
+    version:
+      want: v1.21.1
+    method: github-release
+    with:
+      repo: goreleaser/goreleaser

.github/scripts/ci-check.sh

@@ -0,0 +1 @@
+#!/usr/bin/env bash

.github/scripts/coverage.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+import subprocess
+import sys
+import shlex
+
+
+class bcolors:
+    HEADER = '\033[95m'
+    OKBLUE = '\033[94m'
+    OKCYAN = '\033[96m'
+    OKGREEN = '\033[92m'
+    WARNING = '\033[93m'
+    FAIL = '\033[91m'
+    ENDC = '\033[0m'
+    BOLD = '\033[1m'
+    UNDERLINE = '\033[4m'
+
+
+if len(sys.argv) < 3:
+    print("Usage: coverage.py [threshold] [go-coverage-report]")
+    sys.exit(1)
+
+
+threshold = float(sys.argv[1])
+report = sys.argv[2]
+
+
+args = shlex.split(f"go tool cover -func {report}")
+p = subprocess.run(args, capture_output=True, text=True)
+
+percent_coverage = float(p.stdout.splitlines()[-1].split()[-1].replace("%", ""))
+print(f"{bcolors.BOLD}Coverage: {percent_coverage}%{bcolors.ENDC}")
+
+if percent_coverage < threshold:
+    print(f"{bcolors.BOLD}{bcolors.FAIL}Coverage below threshold of {threshold}%{bcolors.ENDC}")
+    sys.exit(1)

.github/scripts/go-mod-tidy-check.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -eu
+
+ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX")
+TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX")
+
+trap "cp -v ${ORIGINAL_STATE_DIR}/* ./ && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
+
+echo "Capturing original state of files..."
+cp -v go.mod go.sum "${ORIGINAL_STATE_DIR}"
+
+echo "Capturing state of go.mod and go.sum after running go mod tidy..."
+go mod tidy
+cp -v go.mod go.sum "${TIDY_STATE_DIR}"
+echo ""
+
+set +e
+
+# Detect difference between the git HEAD state and the go mod tidy state
+DIFF_MOD=$(diff -u "${ORIGINAL_STATE_DIR}/go.mod" "${TIDY_STATE_DIR}/go.mod")
+DIFF_SUM=$(diff -u "${ORIGINAL_STATE_DIR}/go.sum" "${TIDY_STATE_DIR}/go.sum")
+
+if [[ -n "${DIFF_MOD}" || -n "${DIFF_SUM}" ]]; then
+    echo "go.mod diff:"
+    echo "${DIFF_MOD}"
+    echo "go.sum diff:"
+    echo "${DIFF_SUM}"
+    echo ""
+    printf "FAILED! go.mod and/or go.sum are NOT tidy; please run 'go mod tidy'.\n\n"
+    exit 1
+fi

.github/scripts/trigger-release.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+

.gitignore

@@ -1,46 +1,41 @@
-# most likely a binary from ad hoc go build
-/grant
-
-# Editor specific files
-.vscode
+# install dirs
+/.tmp
+/.tools
+/.tool
+/.task
+
+# release locations
+/snapshot
+/dist
+CHANGELOG.md
+VERSION
+
+# IDEs
 .idea
+.vscode
 
-# Build
-dist
-
-# Test binary, build with `go test -c`
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
 *.test
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
-# Swap
-[._]*.s[a-v][a-z]
-!*.svg  # comment out if you don't need vector files
-[._]*.sw[a-p]
-[._]s[a-rt-v][a-z]
-[._]ss[a-gi-z]
-[._]sw[a-p]
-
-# Session
-Session.vim
-Sessionx.vim
-
-# Temporary
-.netrwhist
-*~
-
-# Auto-generated tag files
-tags
-
-# sample sbom input
-test.json
-
-# Persistent undo
-[._]*.un~
+# Dependency directories (remove the comment below to include it)
+# vendor/
 
-# MacOS Finder metadata
-.DS_STORE
+# Go workspace file
+go.work
+go.work.sum
 
-.tmp
-snapshot
+# mac
+.DS_Store

.golangci.yaml

@@ -0,0 +1,83 @@
+issues:
+  max-same-issues: 25
+
+  # TODO: enable this when we have coverage on docstring comments
+#  # The list of ids of default excludes to include or disable.
+#  include:
+#    - EXC0002 # disable excluding of issues about comments from golint
+
+linters:
+  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
+  disable-all: true
+  enable:
+    - asciicheck
+    - bodyclose
+    - dogsled
+    - dupl
+    - errcheck
+    - exportloopref
+    - funlen
+    - gocognit
+    - goconst
+    - gocritic
+    - gocyclo
+    - gofmt
+    - goimports
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - revive
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+
+linters-settings:
+  funlen:
+    # Checks the number of lines in a function.
+    # If lower than 0, disable the check.
+    # Default: 60
+    lines: 70
+    # Checks the number of statements in a function.
+    # If lower than 0, disable the check.
+    # Default: 40
+    statements: 50
+output:
+  uniq-by-line: false
+run:
+  timeout: 10m
+
+# do not enable...
+#    - deadcode          # The owner seems to have abandoned the linter. Replaced by "unused".
+#    - depguard          # We don't have a configuration for this yet
+#    - goprintffuncname  # does not catch all cases and there are exceptions
+#    - nakedret          # does not catch all cases and should not fail a build
+#    - gochecknoglobals
+#    - gochecknoinits    # this is too aggressive
+#    - rowserrcheck disabled per generics https://github.com/golangci/golangci-lint/issues/2649
+#    - godot
+#    - godox
+#    - goerr113
+#    - goimports   # we're using gosimports now instead to account for extra whitespaces (see https://github.com/golang/go/issues/20818)
+#    - golint      # deprecated
+#    - gomnd       # this is too aggressive
+#    - interfacer  # this is a good idea, but is no longer supported and is prone to false positives
+#    - lll         # without a way to specify per-line exception cases, this is not usable
+#    - maligned    # this is an excellent linter, but tricky to optimize and we are not sensitive to memory layout optimizations
+#    - nestif
+#    - nolintlint   # as of go1.19 this conflicts with the behavior of gofmt, which is a deal-breaker (lint-fix will still fail when running lint)
+#    - prealloc     # following this rule isn't consistently a good idea, as it sometimes forces unnecessary allocations that result in less idiomatic code
+#    - rowserrcheck # not in a repo with sql, so this is not useful
+#    - scopelint    # deprecated
+#    - structcheck  # The owner seems to have abandoned the linter. Replaced by "unused".
+#    - testpackage
+#    - varcheck     # The owner seems to have abandoned the linter. Replaced by "unused".
+#    - wsl          # this doens't have an auto-fixer yet and is pretty noisy (https://github.com/bombsimon/wsl/issues/90)
+

.goreleaser.yaml

@@ -0,0 +1,71 @@
+release:
+  prerelease: auto
+  draft: false
+
+env:
+  - CGO_ENABLED=0
+
+builds:
+  - id: linux-build
+    dir: ./cmd/grant
+    binary: grant
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    # set the modified timestamp on the output binary to the git timestamp to ensure a reproducible build
+    mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
+    ldflags: &build-ldflags |
+      -w
+      -s
+      -extldflags '-static'
+      -X main.version={{.Version}}
+      -X main.gitCommit={{.Commit}}
+      -X main.buildDate={{.Date}}
+      -X main.gitDescription={{.Summary}}
+
+  - id: darwin-build
+    dir: ./cmd/grant
+    binary: grant
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    mod_timestamp: *build-timestamp
+    ldflags: *build-ldflags
+# will probably be supported in the future
+#    hooks:
+#      post:
+#        - cmd: .tools/quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv
+#          env:
+#            - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log
+
+# not supported yet
+#  - id: windows-build
+#    dir: ./cmd/grant
+#    binary: grant
+#    goos:
+#      - windows
+#    goarch:
+#      - amd64
+#    mod_timestamp: *build-timestamp
+#    ldflags: *build-ldflags
+
+archives:
+  - id: linux-archives
+    builds:
+      - linux-build
+
+  # note: the signing process is depending on tar.gz archives. If this format changes then .github/scripts/apple-signing/*.sh will need to be adjusted
+  - id: darwin-archives
+    builds:
+      - darwin-build
+
+# not supported yet
+#  - id: windows-archives
+#    format: zip
+#    builds:
+#      - windows-build
+

.grant.yaml

@@ -0,0 +1,6 @@
+#.grant.yaml
+precedence: [deny, allow]
+deny: "*"
+allow:
+  - MIT
+  - Apache-2

CONTRIBUTING.md

@@ -0,0 +1 @@
+## Contributing

DEVELOPING.md

@@ -0,0 +1 @@
+## Developing