From a3c829b169bad524075c811c2e863e77a451e234 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 2 Jun 2021 14:51:02 +0200
Subject: [PATCH 1/2] Add checks for binary versions set through build-time
 variables

Make sure that these versions are set, and match the expected versions

DEB:

       debian/rules override_dh_auto_test
    make[1]: Entering directory '/root/build-deb'
    ver="$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
        test "$ver" = "Docker version 0.0.0-20210531142756-1c174ced, build 7c6a9484" && echo "PASS: daemon version OK" || echo "FAIL: daemon version ($ver) did not match"
    PASS: daemon version OK
    ver="$(cli/build/docker --version)"; \
        test "$ver" = "Docker version 0.0.0-20210531142756-1c174ced, build 1c174ced" && echo "PASS: cli version OK" || echo "FAIL: cli version ($ver) did not match"
    PASS: cli version OK
    # FIXME: --version currently doesn't work as it makes a connection to the daemon, so using the plugin metadata instead
    ver="$(/usr/libexec/docker/cli-plugins/docker-scan docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }')"; \
        test "$ver" = "v0.8.0" && echo "PASS: docker-scan version OK" || echo "FAIL: docker-scan version ($ver) did not match"
    PASS: docker-scan version OK

RPM:

    Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.SIDNvr
    + umask 022
    + cd /root/rpmbuild/BUILD
    + cd src
    ++ engine/bundles/dynbinary-daemon/dockerd --version
    + ver='Docker version 0.0.0-20210531142756-1c174ced, build 7c6a9484'
    + test 'Docker version 0.0.0-20210531142756-1c174ced, build 7c6a9484' = 'Docker version 0.0.0-20210531142756-1c174ced, build 7c6a9484'
    + echo 'PASS: daemon version OK'
    + exit 0
    PASS: daemon version OK
    ...

    Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.jKzBxw
    + umask 022
    + cd /root/rpmbuild/BUILD
    + cd src
    ++ cli/build/docker --version
    PASS: cli version OK
    + ver='Docker version 0.0.0-20210531142756-1c174ced, build 1c174ced'
    + test 'Docker version 0.0.0-20210531142756-1c174ced, build 1c174ced' = 'Docker version 0.0.0-20210531142756-1c174ced, build 1c174ced'
    + echo 'PASS: cli version OK'
    + exit 0
    ...
    Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.5KN9vp
    + umask 022
    + cd /root/rpmbuild/BUILD
    + cd src
    ++ /root/rpmbuild/BUILDROOT/docker-scan-plugin-0.8.0-0.el8.x86_64/usr/libexec/docker/cli-plugins/docker-scan docker-cli-plugin-metadata
    ++ awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }'
    PASS: docker-scan version OK
    + ver=v0.8.0
    + test v0.8.0 = v0.8.0
    + echo 'PASS: docker-scan version OK'
    + exit 0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 928a8f2b578a782f902b64d223f06ff423afd736)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 deb/common/rules                  | 11 +++++++++--
 rpm/SPECS/docker-ce-cli.spec      |  5 +++--
 rpm/SPECS/docker-ce.spec          |  3 ++-
 rpm/SPECS/docker-scan-plugin.spec |  5 +++--
 4 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/deb/common/rules b/deb/common/rules
index 55f2ac4d05..4440c7fb83 100755
--- a/deb/common/rules
+++ b/deb/common/rules
@@ -36,8 +36,15 @@ override_dh_auto_build:
 		done
 
 override_dh_auto_test:
-	./engine/bundles/dynbinary-daemon/dockerd -v
-	./cli/build/docker -v
+	ver="$$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
+		test "$$ver" = "Docker version $(VERSION), build $(ENGINE_GITCOMMIT)" && echo "PASS: daemon version OK" || echo "FAIL: daemon version ($$ver) did not match"
+
+	ver="$$(cli/build/docker --version)"; \
+		test "$$ver" = "Docker version $(VERSION), build $(CLI_GITCOMMIT)" && echo "PASS: cli version OK" || echo "FAIL: cli version ($$ver) did not match"
+
+	# FIXME: --version currently doesn't work as it makes a connection to the daemon, so using the plugin metadata instead
+	ver="$$(/usr/libexec/docker/cli-plugins/docker-scan docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $$1 == "Version" { print $$2 }')"; \
+		test "$$ver" = "$(SCAN_VERSION)" && echo "PASS: docker-scan version OK" || echo "FAIL: docker-scan version ($$ver) did not match"
 
 override_dh_strip:
 	# Go has lots of problems with stripping, so just don't
diff --git a/rpm/SPECS/docker-ce-cli.spec b/rpm/SPECS/docker-ce-cli.spec
index 3253f6b90d..a6cadcba6e 100644
--- a/rpm/SPECS/docker-ce-cli.spec
+++ b/rpm/SPECS/docker-ce-cli.spec
@@ -64,8 +64,9 @@ done
 popd
 
 
-# %check
-# cli/build/docker -v
+%check
+ver="$(cli/build/docker --version)"; \
+    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_cli}" && echo "PASS: cli version OK" || echo "FAIL: cli version ($ver) did not match"
 
 %install
 # install binary
diff --git a/rpm/SPECS/docker-ce.spec b/rpm/SPECS/docker-ce.spec
index 64ea11f6d5..a943eff41b 100644
--- a/rpm/SPECS/docker-ce.spec
+++ b/rpm/SPECS/docker-ce.spec
@@ -89,7 +89,8 @@ VERSION=%{_origversion} PRODUCT=docker hack/make.sh dynbinary
 popd
 
 %check
-engine/bundles/dynbinary-daemon/dockerd -v
+ver="$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
+    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_engine}" && echo "PASS: daemon version OK" || echo "FAIL: daemon version ($ver) did not match"
 
 %install
 # install daemon binary
diff --git a/rpm/SPECS/docker-scan-plugin.spec b/rpm/SPECS/docker-scan-plugin.spec
index ef01974208..02c9f5d311 100644
--- a/rpm/SPECS/docker-scan-plugin.spec
+++ b/rpm/SPECS/docker-scan-plugin.spec
@@ -31,9 +31,10 @@ popd
 
 
 %check
-# FIXME: --version currently doesn't work as it makes a connection to the daemon
+# FIXME: --version currently doesn't work as it makes a connection to the daemon, so using the plugin metadata instead
 #${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-scan scan --accept-license --version
-${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-scan --help
+ver="$(${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-scan docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }')"; \
+	test "$ver" = "%{_scan_version}" && echo "PASS: docker-scan version OK" || echo "FAIL: docker-scan version ($ver) did not match"
 
 %install
 pushd ${RPM_BUILD_DIR}/src/scan-cli-plugin

From fd7b7ae2ed18a5aba2830d297d3ffee997183f0d Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sat, 3 Jul 2021 17:04:09 +0200
Subject: [PATCH 2/2] Fix binary version checks masking failure exit code

Commit 928a8f2b578a782f902b64d223f06ff423afd736 added a check for binary
version set through build-time variables, but I messed up, and forgot to
add a non-zero exit code. As a result the exit code was the exit code of
the "echo", which would always be successful.

This also revealed a missing check for "target architecture": the scan
cli plugin is only built on x86, so the version check should not be
performed on other architectures.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5d9ad8ccf9251201a8b436bd09435536e3cfd309)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 deb/common/rules                  | 11 +++++++----
 rpm/SPECS/docker-ce-cli.spec      |  2 +-
 rpm/SPECS/docker-ce.spec          |  2 +-
 rpm/SPECS/docker-scan-plugin.spec |  2 +-
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/deb/common/rules b/deb/common/rules
index 4440c7fb83..db12f217ca 100755
--- a/deb/common/rules
+++ b/deb/common/rules
@@ -37,14 +37,17 @@ override_dh_auto_build:
 
 override_dh_auto_test:
 	ver="$$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
-		test "$$ver" = "Docker version $(VERSION), build $(ENGINE_GITCOMMIT)" && echo "PASS: daemon version OK" || echo "FAIL: daemon version ($$ver) did not match"
+		test "$$ver" = "Docker version $(VERSION), build $(ENGINE_GITCOMMIT)" && echo "PASS: daemon version OK" || (echo "FAIL: daemon version ($$ver) did not match" && exit 1)
 
 	ver="$$(cli/build/docker --version)"; \
-		test "$$ver" = "Docker version $(VERSION), build $(CLI_GITCOMMIT)" && echo "PASS: cli version OK" || echo "FAIL: cli version ($$ver) did not match"
+		test "$$ver" = "Docker version $(VERSION), build $(CLI_GITCOMMIT)" && echo "PASS: cli version OK" || (echo "FAIL: cli version ($$ver) did not match" && exit 1)
 
 	# FIXME: --version currently doesn't work as it makes a connection to the daemon, so using the plugin metadata instead
-	ver="$$(/usr/libexec/docker/cli-plugins/docker-scan docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $$1 == "Version" { print $$2 }')"; \
-		test "$$ver" = "$(SCAN_VERSION)" && echo "PASS: docker-scan version OK" || echo "FAIL: docker-scan version ($$ver) did not match"
+	# TODO change once we support scan-plugin on other architectures
+	if [ "$(TARGET_ARCH)" = "amd64" ]; then \
+		ver="$$(/usr/libexec/docker/cli-plugins/docker-scan docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $$1 == "Version" { print $$2 }')"; \
+			test "$$ver" = "$(SCAN_VERSION)" && echo "PASS: docker-scan version OK" || (echo "FAIL: docker-scan version ($$ver) did not match" && exit 1); \
+	fi
 
 override_dh_strip:
 	# Go has lots of problems with stripping, so just don't
diff --git a/rpm/SPECS/docker-ce-cli.spec b/rpm/SPECS/docker-ce-cli.spec
index a6cadcba6e..7e71907b7a 100644
--- a/rpm/SPECS/docker-ce-cli.spec
+++ b/rpm/SPECS/docker-ce-cli.spec
@@ -66,7 +66,7 @@ popd
 
 %check
 ver="$(cli/build/docker --version)"; \
-    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_cli}" && echo "PASS: cli version OK" || echo "FAIL: cli version ($ver) did not match"
+    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_cli}" && echo "PASS: cli version OK" || (echo "FAIL: cli version ($ver) did not match" && exit 1)
 
 %install
 # install binary
diff --git a/rpm/SPECS/docker-ce.spec b/rpm/SPECS/docker-ce.spec
index a943eff41b..35346717a2 100644
--- a/rpm/SPECS/docker-ce.spec
+++ b/rpm/SPECS/docker-ce.spec
@@ -90,7 +90,7 @@ popd
 
 %check
 ver="$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
-    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_engine}" && echo "PASS: daemon version OK" || echo "FAIL: daemon version ($ver) did not match"
+    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_engine}" && echo "PASS: daemon version OK" || (echo "FAIL: daemon version ($ver) did not match" && exit 1)
 
 %install
 # install daemon binary
diff --git a/rpm/SPECS/docker-scan-plugin.spec b/rpm/SPECS/docker-scan-plugin.spec
index 02c9f5d311..2549dd1b06 100644
--- a/rpm/SPECS/docker-scan-plugin.spec
+++ b/rpm/SPECS/docker-scan-plugin.spec
@@ -34,7 +34,7 @@ popd
 # FIXME: --version currently doesn't work as it makes a connection to the daemon, so using the plugin metadata instead
 #${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-scan scan --accept-license --version
 ver="$(${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-scan docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }')"; \
-	test "$ver" = "%{_scan_version}" && echo "PASS: docker-scan version OK" || echo "FAIL: docker-scan version ($ver) did not match"
+	test "$ver" = "%{_scan_version}" && echo "PASS: docker-scan version OK" || (echo "FAIL: docker-scan version ($ver) did not match" && exit 1)
 
 %install
 pushd ${RPM_BUILD_DIR}/src/scan-cli-plugin