feat: syft attestor

[mikhailswift]

Adds an attestor that creates a SBOM using syft for a provided source or
an automatically detected image tar file from the context's products.

Signed-off-by: Mikhail Swift [email protected]

[coveralls]

Pull Request Test Coverage Report for Build 2116089781

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 38.02%

---

Totals
Change from base Build 2110349725:	0.0%
Covered Lines:	822
Relevant Lines:	2162

---

💛 - Coveralls

[colek42]

the digest here is md5

                    "path": "/usr/lib/apache2/modules/mod_authz_user.so",
                    "digest": {
                      "algorithm": "md5",
                      "value": "a68a61bba6b829f044fd1e01acfcabdc"
                    },
                    "isConfigFile": false

is there a way to use whatever is in the attestation context.

from the docs it looks like it should be configurable.

  # SYFT_FILE_METADATA_DIGESTS env var
  digests: ["sha256"]

[colek42]

• Looks like there is a vuln introduced with syft. Can we pin gin to a recent version?
• We are introducing MPL and GPL code here. I think we need to document it in our repository. There will also be considerations for any downstream consumers.

[mikhailswift]

I'm doubtful that there is actually GPL'd code being compiled into Witness here. The first instance snyk finds is

github.com/testifysec/[email protected] › github.com/opencontainers/[email protected] › github.com/golangci/[email protected] › github.com/OpenPeeDeeP/[email protected]

open-containers/image-spec is licensed under Apache 2, the same as Witness and does not import golangci-lint anywhere in their go code, so we're not compiling in ours, either. I'll do a more thorough look through the rest but it seems like snyk is picking up image-spec's CI tools as part of the library.

[mikhailswift]

I also don't believe we're vulnerable to either of the vulnerabilities detected.

the gin vulnerability is focused around gin's logging functionality -- which we're not using at all

the opa vuln we're also not using -- we're using an unaffected version of opa for our rego evaluation.

[mikhailswift]

I did try replacing gin with a newer version, seemed to compile.

[mikhailswift]

go mod graph is not showing any versions of opa below 0.37 which doesn't have that CVE.

go mod graph is not showing rapid as being part of our project -- it seems like a test library so I'm guessing some dependency uses it in their tests.

anchore/go-version is MPL. MPL isn't viral like GPL and is only concerned with modifications to the MPL code -- which we're not doing and witness is open source, so any modifications would be freely available here.

[mikhailswift]

I'll look into the hashing stuff in a bit.

[jeff-mccoy]

👋 what's the plan for this PR to be merged in? We have a PR in Zarf pointing to a commit hash in this PR. Thanks!

[mikhailswift]

This will be merged in today

[colek42]

I have some issues about the dependencies we are pulling in here -- this is a good short term fix, however, we need to bring SBOM functionality in-tree

[mikhailswift]

I have some issues about the dependencies we are pulling in here -- this is a good short term fix, however, we need to bring SBOM functionality in-tree

yes as we've discussed.