Skip to content

Commit

Permalink
attestation: only supplement file data for the core scan
Browse files Browse the repository at this point in the history
Previously, we would attempt to add file data for every single
SBOM - however, if these SBOMs were taken of layers that were not
exported, then these could be wrong.

To workaround this, for the file layer details to be added to the
resulting SBOM, we require that the scanner add a metadata property to
indicate the default value. This is configurable, since in the future we
may want behavior that allows the frontend to specify no file layers, or
wants an SBOM with layers other than the default.

Signed-off-by: Justin Chadwell <[email protected]>
  • Loading branch information
jedevc committed Jan 5, 2023
1 parent 617b78c commit ee27a27
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 3 deletions.
5 changes: 2 additions & 3 deletions docs/sbom-protocol.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,8 @@ by BuildKit:
This variable specifies the main target, passing the path to the root
filesystem of the final build result.

The scanner should scan this filesystem, and write its SBOM scans to
`$BUILDKIT_SCAN_DESTINATION/<scan>.spdx.json`. If the scan name is not
significant the scan can be named `$(basename $BUILDKIT_SCAN_SOURCE)`.
The scanner should scan this filesystem, and write its SBOM result to
`$BUILDKIT_SCAN_DESTINATION/$(basename $BUILDKIT_SCAN_SOURCE).spdx.json`.

- `BUILDKIT_SCAN_SOURCE_EXTRAS` (optional)

Expand Down
8 changes: 8 additions & 0 deletions exporter/containerimage/attestations.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
"github.com/moby/buildkit/session"
"github.com/moby/buildkit/solver"
"github.com/moby/buildkit/solver/result"
"github.com/moby/buildkit/version"
ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/pkg/errors"
Expand All @@ -35,6 +36,13 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
if att.InToto.PredicateType != intoto.PredicateSPDX {
return att, nil
}
name, ok := att.Metadata[result.AttestationSBOMCore]
if !ok {
return att, nil
}
if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
return att, nil
}

content, err := attestation.ReadAll(ctx, s, att)
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions frontend/attestations/sbom/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
Ref: stsbom,
Metadata: map[string][]byte{
result.AttestationReasonKey: []byte(result.AttestationReasonSBOM),
result.AttestationSBOMCore: []byte(CoreSBOMName),
},
InToto: result.InTotoAttestation{
PredicateType: intoto.PredicateSPDX,
Expand Down
1 change: 1 addition & 0 deletions solver/result/attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

const (
AttestationReasonKey = "reason"
AttestationSBOMCore = "sbom-core"
AttestationInlineOnlyKey = "inline-only"
)

Expand Down

0 comments on commit ee27a27

Please sign in to comment.