Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only supplement SBOMs with file-layer info for specified SBOMs #3422

Merged
merged 1 commit into from
Jan 5, 2023
Merged

Only supplement SBOMs with file-layer info for specified SBOMs #3422

merged 1 commit into from
Jan 5, 2023

Conversation

jedevc
Copy link
Member

@jedevc jedevc commented Dec 16, 2022

⬆️ Follow-up to #3258.

Previously, we would attempt to add file data for every single SBOM - however, if these SBOMs were taken of layers that were not exported, then these could be wrong.

To workaround this, for the file layer details to be added to the resulting SBOM, we require that the scanner add a metadata property to indicate the default value. This is configurable, since in the future we may want behavior that allows the frontend to specify no file layers, or wants an SBOM with layers other than the default.

There are some other possible solutions in the future: the "proper" way to do this would be to attach a second ref to every single attestation, so that we could track exactly what part of the build the attestation was about, so that we could then correctly identify which part of the layer chain we should extract file-layer info from. However, this would be a major refactor, and is something we can add later without loss of backwards compatibility in the future 🎉

@jedevc jedevc requested a review from tonistiigi December 16, 2022 14:02
@jedevc jedevc force-pushed the attestations-only-supplement-core branch 2 times, most recently from 11ae4cb to ee27a27 Compare January 5, 2023 10:28
@jedevc jedevc added this to the v0.11.0 milestone Jan 5, 2023
@jedevc
attestation: only supplement file data for the core scan
2948389 
Previously, we would attempt to add file data for every single
SBOM - however, if these SBOMs were taken of layers that were not
exported, then these could be wrong.

To workaround this, for the file layer details to be added to the
resulting SBOM, we require that the scanner add a metadata property to
indicate the default value. This is configurable, since in the future we
may want behavior that allows the frontend to specify no file layers, or
wants an SBOM with layers other than the default.

Signed-off-by: Justin Chadwell <[email protected]>
@jedevc jedevc force-pushed the attestations-only-supplement-core branch from ee27a27 to 2948389 Compare January 5, 2023 14:13
@tonistiigi tonistiigi merged commit 733c043 into moby:master Jan 5, 2023
@tonistiigi tonistiigi mentioned this pull request Jan 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
area/attestations kind/bug
Projects
None yet
Milestone
v0.11.0
Development

Successfully merging this pull request may close these issues.
2 participants
@jedevc @tonistiigi