-
Notifications
You must be signed in to change notification settings - Fork 405
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create an "index SBOM" for multi-arch images #655
Comments
What should the "index" SBOM say is included? We already point to the base image(/index) we build on using the OCI annotations, is there something else we want to surface? If the index SBOM is just a collection of pointers to platform-specific SBOMs, we kind of already get that by virtue of the index being a collection of pointers to the images, which each themselves have SBOMs. (But I agree, let's defer to @puerco's expertise here 😄 ) |
This issue is stale because it has been open for 90 days with no |
Hopefully @puerco can provide an example of what we should be doing here. 🙏 |
@puerco DM'd me this, posting here so I don't lose it 🤩 {
"SPDXID": "SPDXRef-DOCUMENT",
"name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"spdxVersion": "",
"creationInfo": {
"created": "1970-01-01T00:00:00Z",
"creators": [
"Tool: apko (devel)",
"Organization: Chainguard, Inc"
],
"licenseListVersion": "3.16"
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://spdx.org/spdxdocs/apko/",
"documentDescribes": [
"sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
],
"packages": [
{
"SPDXID": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"name": "sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"versionInfo": "",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"description": "Multi-arch image index",
"downloadLocation": "",
"originator": "",
"sourceInfo": "Generated at build time by Chainguard apko",
"copyrightText": "NOASSERTION",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
}
]
}
],
"relationships": [
{
"spdxElementId": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "386-image-sbom"
},
{
"spdxElementId": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "amd64-image-sbom"
}
],
"externalDocumentRefs": [
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "SBOMDIGEST_GOES_HERE"
},
"externalDocumentId": "386-image-sbom",
"spdxDocument": ""
},
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "SBOMDIGEST_GOES_HERE"
},
"externalDocumentId": "amd64-image-sbom",
"spdxDocument": ""
}
]
} |
I just finished the first iteration in apko to generate the index sboms following that proposal. Here is a full exampl and some notes:
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"spdxVersion": "SPDX-2.2",
"creationInfo": {
"created": "1970-01-01T00:00:00Z",
"creators": [
"Tool: apko (devel)",
"Organization: Chainguard, Inc"
],
"licenseListVersion": "3.16"
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://spdx.org/spdxdocs/apko/",
"documentDescribes": [
"SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
],
"packages": [
{
"SPDXID": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"name": "172.19.0.1:5000/test-nosbom3@sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"description": "Multi-arch image index",
"sourceInfo": "Generated at image build time by apko",
"copyrightText": "NOASSERTION",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
}
],
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:oci/172.19.0.1:5000%2Ftest-nosbom3?mediaType=application%2Fvnd.oci.image.index.v1+json\u0026tag=latest",
"referenceType": "purl"
}
]
}
],
"relationships": [
{
"spdxElementId": "DocumentRef-386-image-sbom:SPDXRef-Package-sha256-d0370905ad41c4eb2b1a56f3139fd6a9acfcef203c27e2a9e1655eab28351fd6",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
},
{
"spdxElementId": "DocumentRef-amd64-image-sbom:SPDXRef-Package-sha256-b09ddd04b47e07919402c15ea21bf839a95f6bf38ec0df1594c296425010cf1a",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
}
],
"externalDocumentRefs": [
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c"
},
"externalDocumentId": "DocumentRef-386-image-sbom",
"spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c"
},
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c"
},
"externalDocumentId": "DocumentRef-amd64-image-sbom",
"spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c"
}
]
} |
For the JSON migration, there are types here: https://github.com/kubernetes-sigs/bom/blob/main/pkg/spdx/json/v2.2.2/types.go |
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
Here's a reference for the CycloneDX side of things: chainguard-dev/apko#274 |
Currently, as associate SBOMs with each of the constituent images in a multi-arch image, but we do not associate an SBOM with the top-level "index" manifest.
I was talking to @puerco about this (as well as #654).
Like the manifest list itself, I believe this would be a relatively thin SBOM that somehow referenced the constituent SBOMs (maybe in the same way as the linked issue?), but I defer to @puerco as the expert on the best practices here.
The text was updated successfully, but these errors were encountered: