Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create an "index SBOM" for multi-arch images #655

Closed
mattmoor opened this issue Mar 18, 2022 · 8 comments
Closed

Create an "index SBOM" for multi-arch images #655

mattmoor opened this issue Mar 18, 2022 · 8 comments
Labels
enhancement New feature or request lifecycle/frozen sbom Related to generation of SBOMs

Comments

@mattmoor
Copy link
Collaborator

Currently, as associate SBOMs with each of the constituent images in a multi-arch image, but we do not associate an SBOM with the top-level "index" manifest.

I was talking to @puerco about this (as well as #654).

Like the manifest list itself, I believe this would be a relatively thin SBOM that somehow referenced the constituent SBOMs (maybe in the same way as the linked issue?), but I defer to @puerco as the expert on the best practices here.

@mattmoor mattmoor added the enhancement New feature or request label Mar 18, 2022
@mattmoor
Copy link
Collaborator Author

@imjasonh imjasonh added the sbom Related to generation of SBOMs label Mar 28, 2022
@imjasonh
Copy link
Member

What should the "index" SBOM say is included? We already point to the base image(/index) we build on using the OCI annotations, is there something else we want to surface?

If the index SBOM is just a collection of pointers to platform-specific SBOMs, we kind of already get that by virtue of the index being a collection of pointers to the images, which each themselves have SBOMs.

(But I agree, let's defer to @puerco's expertise here 😄 )

@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

@mattmoor
Copy link
Collaborator Author

Hopefully @puerco can provide an example of what we should be doing here. 🙏

@mattmoor
Copy link
Collaborator Author

@puerco DM'd me this, posting here so I don't lose it 🤩

{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
  "spdxVersion": "",
  "creationInfo": {
    "created": "1970-01-01T00:00:00Z",
    "creators": [
      "Tool: apko (devel)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
  ],
  "packages": [
    {
      "SPDXID": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
      "name": "sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
      "versionInfo": "",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "description": "Multi-arch image index",
      "downloadLocation": "",
      "originator": "",
      "sourceInfo": "Generated at build time by Chainguard apko",
      "copyrightText": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
        }
      ]
    }
  ],
  "relationships": [
    {
      "spdxElementId": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
      "relationshipType": "VARIANT_OF",
      "relatedSpdxElement": "386-image-sbom"
    },
    {
      "spdxElementId": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
      "relationshipType": "VARIANT_OF",
      "relatedSpdxElement": "amd64-image-sbom"
    }
  ],
  "externalDocumentRefs": [
    {
      "checksum": {
        "algorithm": "SHA256",
        "checksumValue": "SBOMDIGEST_GOES_HERE"
      },
      "externalDocumentId": "386-image-sbom",
      "spdxDocument": ""
    },
    {
      "checksum": {
        "algorithm": "SHA256",
        "checksumValue": "SBOMDIGEST_GOES_HERE"
      },
      "externalDocumentId": "amd64-image-sbom",
      "spdxDocument": ""
    }
  ]
}

@puerco
Copy link
Contributor

puerco commented Jun 30, 2022

I just finished the first iteration in apko to generate the index sboms following that proposal. Here is a full exampl and some notes:

  1. The document has one package that represents the multiarch image.
  2. The SBOMs of each of the individual arch images are linked as external documents (externalDocumentRefs).
  3. Note the the digest in those fields corresponds to the hash of the SBOMs, the URL of the external ref (spdxDocument) is pointing directly to the blob because an SPDX client needs to fetch the SBOM from that URL to look up the referenced packages.
  4. The single package representing the index is linked to each of the individual arch images by adding a relationship to the external package, for example DocumentRef-386-image-sbom:SPDXRef-Package-sha256-d03709...
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
    "created": "1970-01-01T00:00:00Z",
    "creators": [
      "Tool: apko (devel)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
  ],
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
      "name": "172.19.0.1:5000/test-nosbom3@sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "description": "Multi-arch image index",
      "sourceInfo": "Generated at image build time by apko",
      "copyrightText": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
        }
      ],
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:oci/172.19.0.1:5000%2Ftest-nosbom3?mediaType=application%2Fvnd.oci.image.index.v1+json\u0026tag=latest",
          "referenceType": "purl"
        }
      ]
    }
  ],
  "relationships": [
    {
      "spdxElementId": "DocumentRef-386-image-sbom:SPDXRef-Package-sha256-d0370905ad41c4eb2b1a56f3139fd6a9acfcef203c27e2a9e1655eab28351fd6",
      "relationshipType": "VARIANT_OF",
      "relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
    },
    {
      "spdxElementId": "DocumentRef-amd64-image-sbom:SPDXRef-Package-sha256-b09ddd04b47e07919402c15ea21bf839a95f6bf38ec0df1594c296425010cf1a",
      "relationshipType": "VARIANT_OF",
      "relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
    }
  ],
  "externalDocumentRefs": [
    {
      "checksum": {
        "algorithm": "SHA256",
        "checksumValue": "89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c"
      },
      "externalDocumentId": "DocumentRef-386-image-sbom",
      "spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c"
    },
    {
      "checksum": {
        "algorithm": "SHA256",
        "checksumValue": "ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c"
      },
      "externalDocumentId": "DocumentRef-amd64-image-sbom",
      "spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c"
    }
  ]
}

@mattmoor
Copy link
Collaborator Author

For the JSON migration, there are types here: https://github.com/kubernetes-sigs/bom/blob/main/pkg/spdx/json/v2.2.2/types.go

mattmoor added a commit to mattmoor/ko that referenced this issue Jul 1, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations.  I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.

Related: ko-build#655
mattmoor added a commit to mattmoor/ko that referenced this issue Jul 1, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations.  I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.

Related: ko-build#655
mattmoor added a commit to mattmoor/ko that referenced this issue Jul 1, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations.  I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.

Related: ko-build#655
mattmoor added a commit to mattmoor/ko that referenced this issue Jul 5, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations.  I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.

Related: ko-build#655
mattmoor added a commit that referenced this issue Jul 5, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations.  I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.

Related: #655
@mattmoor
Copy link
Collaborator Author

mattmoor commented Jul 8, 2022

Here's a reference for the CycloneDX side of things: chainguard-dev/apko#274

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request lifecycle/frozen sbom Related to generation of SBOMs
Projects
None yet
Development

No branches or pull requests

3 participants