-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate and attach multiarch index SBOMs (only SPDX for now) #257
Conversation
Package references in the cyclonedx sboms are wrong and dependecies of one package are pointing to itself. This commit fixes it. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the SBOM options to pass the required information to generate the index sboms. In short its data about the index and the underlying images. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the `apko publish` subcommand to generate the index sbom when publish produces more than one image. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the OCI package in two ways: 1. Modifies the attachSBOM functions to take a signed entity to allow it to work with indexes and images 2. Modifies the PublishIndex functions to return the newly published index. This allows external functions to use it (eg to attach an sbom to it). Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit adds a GenerateIndexSBOM function to the build context. This function is aking to the GenerateSBOM fn which creates the sboms for layers and images. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@@ -126,7 +126,7 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu | |||
// The build context options is sometimes copied in the next functions. Ensure | |||
// we have the directory defined and created by invoking the function early. | |||
bc.Options.TempDir() | |||
defer os.RemoveAll(bc.Options.TempDir()) | |||
// defer os.RemoveAll(bc.Options.TempDir()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have been uncommented? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it's the cleanup and I was testing. I'll fix it.
@@ -340,17 +350,17 @@ func publishIndexWithMediaType(mediaType ggcrtypes.MediaType, imgs map[types.Arc | |||
img := imgs[arch] | |||
mt, err := img.MediaType() | |||
if err != nil { | |||
return name.Digest{}, fmt.Errorf("failed to get mediatype: %w", err) | |||
return name.Digest{}, idx, fmt.Errorf("failed to get mediatype: %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not return nil
here instead of idx
? Are callers supposed to do anything with the returned idx
value if there's an error?
(Studiously resisting a rant about error handling conventions in Go...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point I'll change it in a follow up 👍
This PR introduces the index SBOMs for
apko publish
. When publishing more than one image, apko will now attach an SBOM to the image index describing it and linking to the individual arch images.The index SBOM contains one package which ties the images by adding external refs to image packages in the single image SBOMs.
For now, only the SPDX driver generates the index SBOMs. I'll add CycloneDX support in a follow-up.
Example Index SBOM: