attestation: only supplement file data for the core scan

Previously, we would attempt to add file data for every single SBOM - however, if these SBOMs were taken of layers that were not exported, then these could be wrong. To workaround this, for the file layer details to be added to the resulting SBOM, we require that the scanner add a metadata property to indicate the default value. This is configurable, since in the future we may want behavior that allows the frontend to specify no file layers, or wants an SBOM with layers other than the default. Signed-off-by: Justin Chadwell <[email protected]>
tonistiigi · Jan 5, 2023 · 2948389 · 2948389
1 parent f47540f
commit 2948389
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/docs/attestations/sbom-protocol.md b/docs/attestations/sbom-protocol.md
@@ -48,9 +48,8 @@ by BuildKit:
   This variable specifies the main target, passing the path to the root
   filesystem of the final build result.
 
-  The scanner should scan this filesystem, and write its SBOM scans to
-  `$BUILDKIT_SCAN_DESTINATION/<scan>.spdx.json`. If the scan name is not
-  significant the scan can be named `$(basename $BUILDKIT_SCAN_SOURCE)`.
+  The scanner should scan this filesystem, and write its SBOM result to
+  `$BUILDKIT_SCAN_DESTINATION/$(basename $BUILDKIT_SCAN_SOURCE).spdx.json`.
 
 - `BUILDKIT_SCAN_SOURCE_EXTRAS` (optional)
 

diff --git a/exporter/containerimage/attestations.go b/exporter/containerimage/attestations.go
@@ -14,6 +14,7 @@ import (
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/result"
 	"github.com/moby/buildkit/version"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -35,6 +36,13 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 	if att.InToto.PredicateType != intoto.PredicateSPDX {
 		return att, nil
 	}
+	name, ok := att.Metadata[result.AttestationSBOMCore]
+	if !ok {
+		return att, nil
+	}
+	if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
+		return att, nil
+	}
 
 	content, err := attestation.ReadAll(ctx, s, att)
 	if err != nil {

diff --git a/frontend/attestations/sbom/sbom.go b/frontend/attestations/sbom/sbom.go
@@ -89,6 +89,7 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
 			Ref:  stsbom,
 			Metadata: map[string][]byte{
 				result.AttestationReasonKey: []byte(result.AttestationReasonSBOM),
+				result.AttestationSBOMCore:  []byte(CoreSBOMName),
 			},
 			InToto: result.InTotoAttestation{
 				PredicateType: intoto.PredicateSPDX,

diff --git a/solver/result/attestation.go b/solver/result/attestation.go
@@ -9,6 +9,7 @@ import (
 
 const (
 	AttestationReasonKey     = "reason"
+	AttestationSBOMCore      = "sbom-core"
 	AttestationInlineOnlyKey = "inline-only"
 )
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ import ( @@
     const (
     	AttestationReasonKey     = "reason"
+    	AttestationSBOMCore      = "sbom-core"
     	AttestationInlineOnlyKey = "inline-only"
     )
@@ Expand Down @@