Generate and attach multiarch index SBOMs (only SPDX for now) #257
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Package references in the cyclonedx sboms are wrong and dependecies of one package are pointing to itself. This commit fixes it. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the SBOM options to pass the required information to generate the index sboms. In short its data about the index and the underlying images. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the `apko publish` subcommand to generate the index sbom when publish produces more than one image. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the OCI package in two ways: 1. Modifies the attachSBOM functions to take a signed entity to allow it to work with indexes and images 2. Modifies the PublishIndex functions to return the newly published index. This allows external functions to use it (eg to attach an sbom to it). Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit adds a GenerateIndexSBOM function to the build context. This function is aking to the GenerateSBOM fn which creates the sboms for layers and images. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
kaniini
approved these changes
Jun 30, 2022
imjasonh
reviewed
Jun 30, 2022
| @@ -126,7 +126,7 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu | |||
| // The build context options is sometimes copied in the next functions. Ensure | |||
| // we have the directory defined and created by invoking the function early. | |||
| bc.Options.TempDir() | |||
| defer os.RemoveAll(bc.Options.TempDir()) | |||
| // defer os.RemoveAll(bc.Options.TempDir()) | |||
There was a problem hiding this comment.
Should this have been uncommented? 🤔
There was a problem hiding this comment.
yes, it's the cleanup and I was testing. I'll fix it.
| @@ -340,17 +350,17 @@ func publishIndexWithMediaType(mediaType ggcrtypes.MediaType, imgs map[types.Arc | |||
| img := imgs[arch] | |||
| mt, err := img.MediaType() | |||
| if err != nil { | |||
| return name.Digest{}, fmt.Errorf("failed to get mediatype: %w", err) | |||
| return name.Digest{}, idx, fmt.Errorf("failed to get mediatype: %w", err) | |||
There was a problem hiding this comment.
Why not return nil here instead of idx? Are callers supposed to do anything with the returned idx value if there's an error?
(Studiously resisting a rant about error handling conventions in Go...)
There was a problem hiding this comment.
Good point I'll change it in a follow up 👍
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the index SBOMs for
apko publish. When publishing more than one image, apko will now attach an SBOM to the image index describing it and linking to the individual arch images.The index SBOM contains one package which ties the images by adding external refs to image packages in the single image SBOMs.
For now, only the SPDX driver generates the index SBOMs. I'll add CycloneDX support in a follow-up.
Example Index SBOM:
{ "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58", "spdxVersion": "SPDX-2.2", "creationInfo": { "created": "1970-01-01T00:00:00Z", "creators": [ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58" ], "packages": [ { "SPDXID": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58", "name": "172.19.0.1:5000/test-nosbom3@sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "description": "Multi-arch image index", "sourceInfo": "Generated at image build time by apko", "copyrightText": "NOASSERTION", "checksums": [ { "algorithm": "SHA256", "checksumValue": "af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58" } ], "externalRefs": [ { "referenceCategory": "PACKAGE_MANAGER", "referenceLocator": "pkg:oci/172.19.0.1:5000%2Ftest-nosbom3?mediaType=application%2Fvnd.oci.image.index.v1+json\u0026tag=latest", "referenceType": "purl" } ] } ], "relationships": [ { "spdxElementId": "DocumentRef-386-image-sbom:SPDXRef-Package-sha256-d0370905ad41c4eb2b1a56f3139fd6a9acfcef203c27e2a9e1655eab28351fd6", "relationshipType": "VARIANT_OF", "relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58" }, { "spdxElementId": "DocumentRef-amd64-image-sbom:SPDXRef-Package-sha256-b09ddd04b47e07919402c15ea21bf839a95f6bf38ec0df1594c296425010cf1a", "relationshipType": "VARIANT_OF", "relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58" } ], "externalDocumentRefs": [ { "checksum": { "algorithm": "SHA256", "checksumValue": "89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c" }, "externalDocumentId": "DocumentRef-386-image-sbom", "spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c" }, { "checksum": { "algorithm": "SHA256", "checksumValue": "ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c" }, "externalDocumentId": "DocumentRef-amd64-image-sbom", "spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c" } ] }