From 2948389c3e949a3d9cc96302dbeb5e5e59412481 Mon Sep 17 00:00:00 2001 From: Justin Chadwell Date: Fri, 16 Dec 2022 13:46:49 +0000 Subject: [PATCH] attestation: only supplement file data for the core scan Previously, we would attempt to add file data for every single SBOM - however, if these SBOMs were taken of layers that were not exported, then these could be wrong. To workaround this, for the file layer details to be added to the resulting SBOM, we require that the scanner add a metadata property to indicate the default value. This is configurable, since in the future we may want behavior that allows the frontend to specify no file layers, or wants an SBOM with layers other than the default. Signed-off-by: Justin Chadwell --- docs/attestations/sbom-protocol.md | 5 ++--- exporter/containerimage/attestations.go | 8 ++++++++ frontend/attestations/sbom/sbom.go | 1 + solver/result/attestation.go | 1 + 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/attestations/sbom-protocol.md b/docs/attestations/sbom-protocol.md index 47b623ea95df..1505fbfffcca 100644 --- a/docs/attestations/sbom-protocol.md +++ b/docs/attestations/sbom-protocol.md @@ -48,9 +48,8 @@ by BuildKit: This variable specifies the main target, passing the path to the root filesystem of the final build result. - The scanner should scan this filesystem, and write its SBOM scans to - `$BUILDKIT_SCAN_DESTINATION/.spdx.json`. If the scan name is not - significant the scan can be named `$(basename $BUILDKIT_SCAN_SOURCE)`. + The scanner should scan this filesystem, and write its SBOM result to + `$BUILDKIT_SCAN_DESTINATION/$(basename $BUILDKIT_SCAN_SOURCE).spdx.json`. - `BUILDKIT_SCAN_SOURCE_EXTRAS` (optional) diff --git a/exporter/containerimage/attestations.go b/exporter/containerimage/attestations.go index c9eef91c0c4a..782c18733035 100644 --- a/exporter/containerimage/attestations.go +++ b/exporter/containerimage/attestations.go @@ -14,6 +14,7 @@ import ( gatewaypb "github.com/moby/buildkit/frontend/gateway/pb" "github.com/moby/buildkit/session" "github.com/moby/buildkit/solver" + "github.com/moby/buildkit/solver/result" "github.com/moby/buildkit/version" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" @@ -35,6 +36,13 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable if att.InToto.PredicateType != intoto.PredicateSPDX { return att, nil } + name, ok := att.Metadata[result.AttestationSBOMCore] + if !ok { + return att, nil + } + if n, _, _ := strings.Cut(att.Path, "."); n != string(name) { + return att, nil + } content, err := attestation.ReadAll(ctx, s, att) if err != nil { diff --git a/frontend/attestations/sbom/sbom.go b/frontend/attestations/sbom/sbom.go index 4d86f74140bf..b4446aed45f0 100644 --- a/frontend/attestations/sbom/sbom.go +++ b/frontend/attestations/sbom/sbom.go @@ -89,6 +89,7 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan Ref: stsbom, Metadata: map[string][]byte{ result.AttestationReasonKey: []byte(result.AttestationReasonSBOM), + result.AttestationSBOMCore: []byte(CoreSBOMName), }, InToto: result.InTotoAttestation{ PredicateType: intoto.PredicateSPDX, diff --git a/solver/result/attestation.go b/solver/result/attestation.go index 450016ffab70..77af74da1906 100644 --- a/solver/result/attestation.go +++ b/solver/result/attestation.go @@ -9,6 +9,7 @@ import ( const ( AttestationReasonKey = "reason" + AttestationSBOMCore = "sbom-core" AttestationInlineOnlyKey = "inline-only" )