Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

510 - SBOM attestation stdout #785

Merged
merged 127 commits into from
Feb 23, 2022
Merged

510 - SBOM attestation stdout #785

merged 127 commits into from
Feb 23, 2022

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Jan 31, 2022
edited
Loading

Attestation Stdout

This PR adds the initial version of the syft attest command. A user can use attest to generate a summary of discovered packages formatted as the predicate to an image attestation.

To run this command you'll need to generate a key via cosign generate-key-pair. You can either pass it directly to the command or have syft read from the default location ./cosign.key

go run main.go attest --key cosign.key --output json anchore/syft:latest

Notes:

  • compile size increases from ~22mb --> ~60mb due to new library imports
  • CI time has increased for static analysis
  • keyless workflow will be added after; see here for outline of what is to come
  • snapshot build times have increased with the introduction of new cosign libraries

TODO:

  • update user input keysign options to be more friendly
  • update to allow password inputs for keys
  • inject command context to leverage correct cosign function signatures
  • unit/integration coverage
  • command coverage
  • rebase
  • BUG: keyreference panic found for certain keyoptions
  • Question: Integration with SBOM writer/encoding pattern or keep write to stdout separate flow
  • Question: static-analysis has increased to 4m beyond 2m timeout

@spiffcs spiffcs force-pushed the 510-attach-sbomb-attestation branch from 6a775c5 to a7a7b07 Compare January 31, 2022 18:26
@github-actions
Copy link

github-actions bot commented Jan 31, 2022
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.59ms ± 1%    1.28ms ± 1%  -19.15%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            3.63ms ± 2%    2.93ms ± 0%  -19.39%  (p=0.016 n=5+4)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.26ms ± 3%    1.01ms ± 0%  -19.69%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2        1.00ms ± 5%    0.79ms ± 0%  -21.38%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                    1.16ms ± 1%    0.92ms ± 0%  -21.04%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                     1.04ms ± 3%    0.83ms ± 1%  -20.57%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      27.9ms ± 1%    22.4ms ± 1%  -19.62%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.58ms ± 4%    1.27ms ± 1%  -20.11%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          2.42µs ± 1%    1.91µs ± 1%  -20.97%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               253kB ± 0%     252kB ± 0%     ~     (p=0.056 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            1.06MB ± 0%    1.06MB ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     253kB ± 0%     253kB ± 0%     ~     (p=0.095 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         208kB ± 0%     208kB ± 0%   -0.09%  (p=0.016 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     254kB ± 0%     254kB ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      236kB ± 0%     236kB ± 0%   +0.13%  (p=0.016 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      4.20MB ± 0%    4.20MB ± 0%     ~     (p=0.548 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.30MB ± 0%    1.30MB ± 0%     ~     (p=0.421 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            608B ± 0%      608B ± 0%     ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               6.33k ± 0%     6.33k ± 0%     ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             21.4k ± 0%     21.4k ± 0%     ~     (p=0.143 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     7.25k ± 0%     7.25k ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         5.36k ± 0%     5.36k ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     7.10k ± 0%     7.10k ± 0%     ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      6.82k ± 0%     6.82k ± 0%     ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       86.8k ± 0%     86.8k ± 0%     ~     (p=0.159 n=5+4)
ImagePackageCatalogers/apkdb-cataloger-2                      7.37k ± 0%     7.37k ± 0%     ~     (p=0.643 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            14.0 ± 0%      14.0 ± 0%     ~     (all equal)

@spiffcs spiffcs force-pushed the 510-attach-sbomb-attestation branch from a7a7b07 to aadfda8 Compare January 31, 2022 18:42
@spiffcs spiffcs changed the title 510 - SBOMB attestation stdout 510 - SBOB attestation stdout Jan 31, 2022
@spiffcs spiffcs changed the title 510 - SBOB attestation stdout 510 - SBOM attestation stdout Jan 31, 2022
@spiffcs spiffcs force-pushed the 510-attach-sbomb-attestation branch from aadfda8 to 8e64d73 Compare February 1, 2022 14:34
@spiffcs spiffcs force-pushed the 510-attach-sbomb-attestation branch 3 times, most recently from 60ef4d1 to f086c54 Compare February 8, 2022 18:19
@spiffcs spiffcs marked this pull request as ready for review February 8, 2022 18:29
@spiffcs spiffcs force-pushed the 510-attach-sbomb-attestation branch 3 times, most recently from 54e11be to 5c0603e Compare February 9, 2022 19:08
@spiffcs spiffcs requested a review from a team February 10, 2022 15:04
@spiffcs
wip
7e49265 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs force-pushed the 510-attach-sbomb-attestation branch from 26c1916 to 470c880 Compare February 10, 2022 15:09
spiffcs added 14 commits February 10, 2022 10:56
@spiffcs
update attest to import new library changes
976a404 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
revert to initial keysign bare bones execution
fafa270 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
remove writer from attest command
fb3d29b 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
add barebones password function - attestation work
11f73e7 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
remove outdated format
bfa8622 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
inject context
3f0929f 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
bind keyPath to local command flag
333f66b 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update command documentation - inject ctx
5af16b9 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update to use partybus to prevent hang
7f0f70a 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update so static analysis does not timeout on CI
e7249f8 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
add back framework for integration tests
14cefe5 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update command output remove todo
0f2f920 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update example text
86e87cd 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update attestation command to not panic
9138a27 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs and others added 20 commits February 18, 2022 09:56
@spiffcs
comment out test for future work
878df65 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update password select mechanism
e8ad930 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test harness for password verification
c1d39d3 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update nit comments
5d1fa28 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
configure failing tests
4ecf3b4 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
tests are passing
eb10737 
Signed-off-by: Christopher Phillips <[email protected]>
@luhring @spiffcs
Fix panic in requirements.txt parsing (#834)
2879091 
* Stable sort for pipfile.lock parsing

Signed-off-by: Dan Luhring <[email protected]>

* Adjust python parsing tests to use go-cmp

Signed-off-by: Dan Luhring <[email protected]>

* Add failing cases for requirements.txt parsing

Signed-off-by: Dan Luhring <[email protected]>

* Fix failing cases for requirements.txt parsing

Signed-off-by: Dan Luhring <[email protected]>

* Refactor parseRequirementsTxt

Signed-off-by: Dan Luhring <[email protected]>

* Fix static-analysis failure

Signed-off-by: Dan Luhring <[email protected]>

* Fix comment

Signed-off-by: Dan Luhring <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
@houdini91 @spiffcs
Base64 encoder closing (#822)
c31931d 
Signed-off-by: houdini91 <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
@jonasagx @spiffcs
ignore minor parsing error when reading dpkg status files (#786)
1680cde 
* ignore minor parsing error when reading dpkg status files

helps with #733

Question: should we add a smarter parser to guess approximate installed-size
value?

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* add datasize lib to help dpkg parsing

added unit tests to expand coverage of dpkg parsing

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* drop parse error

added unit tests to handleNewKeyValue

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* don't return parsing errors from dpkg

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* test higher level functions

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* return parsing err to let cataloger handle it

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* ignore key parsing error

log warning with relevant context

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* add context info to log lines

simpler error assertion

Signed-off-by: Jonas Galvão Xavier <[email protected]>

* use error.As to assert error in chain

Signed-off-by: Jonas Galvão Xavier <[email protected]>
@spiffcs
update exported function for tests
19e4387 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update go mod
eda3ca2 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update go.mod to latest cosign version
c0d60ce 
Signed-off-by: Christopher Phillips <[email protected]>
@wagoodman
adjust attest options to be 12-factor-like
47fa22d 
Signed-off-by: Alex Goodman <[email protected]>
@spiffcs
Merge branch '510-attach-sbomb-attestation' of https://github.com/anc…
b9bfa48 
…hore/syft into 510-attach-sbomb-attestation

* '510-attach-sbomb-attestation' of https://github.com/anchore/syft: (63 commits)
  adjust attest options to be 12-factor-like
  update go.mod to latest cosign version
  update go mod
  update exported function for tests
  tests are passing
  configure failing tests
  ignore minor parsing error when reading dpkg status files (#786)
  update nit comments
  test harness for password verification
  update password select mechanism
  comment out test for future work
  Base64 encoder closing (#822)
  dog food attestation on syft image
  update function usage
  update correct predicate type formats for JSON
  update ci workflow to boostrap tools on cli tests
  update to bootstrap go
  update to find cosign temp
  access local temp directory
  check if cache issue
  ...
@spiffcs
update static analysis
1883815 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update failing test
36da7f4 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
uopdate README
bcd435e 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update readme with command
2525d42 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
update getting started
fe62f30 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
minor edits
4ef7657 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
spiffcs commented Feb 18, 2022
View reviewed changes
README.md Outdated Show resolved Hide resolved
@spiffcs
readme updates
5524ea5 
Signed-off-by: Christopher Phillips <[email protected]>
wagoodman
wagoodman approved these changes Feb 22, 2022
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work --this is a huge feature 🎉 Can't wait for the keyless work next 🤓

@spiffcs spiffcs linked an issue Feb 22, 2022 that may be closed by this pull request
Ability to sign or attest the generated SBOM #510
Closed
@spiffcs
update to latest cosign
d6fa678 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs merged commit 256e85b into main Feb 23, 2022
@spiffcs spiffcs deleted the 510-attach-sbomb-attestation branch February 23, 2022 02:45
@Dentrax Dentrax mentioned this pull request Jun 17, 2022
Open
@developer-guy developer-guy mentioned this pull request Sep 1, 2022
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
510 - SBOM attestation stdout (anchore#785)
ac08883 
add syft attest command to produce an attestation as application/vnd.in-toto+json to standard out using on disk PKI

Signed-off-by: Christopher Phillips <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ability to sign or attest the generated SBOM
5 participants
@spiffcs @luhring @wagoodman @houdini91 @jonasagx