generating SBOMs for both cosign and cosigned projects and sign them

[developer-guy]

Description

we (w/@Dentrax) thought that there are no SBOMs files generated and signed for both cosign and cosigned projects, so we're proposing to generate, sign them right after generating them via cosign's private key, and attach them to the proper registry. I'd like to list the tools that can help us to do that:

• https://github.com/anchore/syft
• https://github.com/anchore/sbom-action
• https://github.com/CycloneDX/gh-gomod-generate-sbom
• https://github.com/spdx/spdx-sbom-generator
• https://github.com/tern-tools/tern
• https://github.com/CycloneDX/cyclonedx-cli
• https://github.com/kubernetes/release/tree/master/cmd/bom

as an example the Kyverno project is already doing this:

👀 github.com/kyverno/kyverno/pull/2438/

cc: @luhring @puerco @cpanato @nishakm

[luhring]

The syft "sbom-action" might be a way to get started with almost no effort, even if this workflow step is later replaced in a future iteration.

Also, I just pulled in anchore/syft#510, which would simplify the SBOM generation + attestation workflow here.

[VinodAnandan]

We have helped with the SBOM generation for Kyverno, Trivy, gosec, Buildpack, etc. The following Github action is utilised to generate the SBOM, https://github.com/CycloneDX/gh-gomod-generate-sbom . It is simple and straightforward and generates an accurate SBOM with a dependency graph. @nscuro has already addressed @dlorenc's concern ( CycloneDX/cyclonedx-gomod#20 ) related to the accuracy of SBOM. The team is happy to address any further concerns and provide any help with the SBOM generation.

Cc: @nscuro, @stevespringett, @coderpatros, @DarthHater, @tricky42, @knqyf263, @masahiro331, @samj1912, @natalieparellano, @ShubhamPalriwala, @JimBugwadia, @ccojocar, @mmorel-35

[nscuro]

As cosign uses goreleaser, goreleaser/goreleaser#2597 (and consequently goreleaser/goreleaser#2618) may be relevant.

[developer-guy]

kindly reminder @dlorenc

[mattmoor]

For cosigned we added support for producing sboms with ko, so once we cut a new ko release we should get that for free (same with the cosign images we build with ko).

[developer-guy]

oh, that's so nice, would you mind sharing the PR on the ko side?

[mattmoor]

There were a few, but this connects a few of the dots: ko-build/ko#511

It's merged at HEAD. Please try it out and report any issues!

[developer-guy]

We (w/@Dentrax) would like to add CycloneDX support as well. May we do this? Because the CycloneDX community provides great go modules that we can use for this.

• https://github.com/CycloneDX/cyclonedx-go

[developer-guy]

works like a charm @mattmoor 🤩

[developer-guy]

Also, cosign supports text/spdx+json mediaType for SBOMs based on SPDX format. Maybe we can add this support too, WDYT @mattmoor? Is it worth it?

[mattmoor]

@developer-guy works for me! cc @imjasonh

[imjasonh]

works like a charm @mattmoor 🤩

Just a nit: ko build --sbom builds and pushes with an SBOM, and ko deps --sbom=spdx generates one on-demand from the binary in the image.

You should try ko build --sbom=spdx and cosign download sbom ... on the pushed image to verify that the SBOM was built and pushed and attached how cosign expects to find it.

[developer-guy]

what about making ko compliant with CycloneDX format, and also supporting text/spdx+json mediaType, I'd love to do that btw, I can create separate issues for that.

[mattmoor]

SPDX was always just a starting point. I think we'd love to have CycloneDX support as well.