-
Notifications
You must be signed in to change notification settings - Fork 585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for reading SBOMs on the image attached by buildpacks #520
Comments
Interesting! Today's path for getting SBOM information is from syft (either by cataloging on the spot, or using syft to decode SBOM documents for grype's purposes). Since all of the formats in question are already supported in terms of our decoding ability (or will soon be supported) this seems to be more of a "how do we request and handle transport of the SBOM bytes" first. This hints at adding code to grype that can handle the request/transport first and present that to syfts decoders (and not to syft). We use schemes to tell grype exactly how to deal with a specific input. We could add a new scheme like:
(TBD on the scheme name, up to other suggestions... To instruct grype to surgically pull down only the SBOM layers (if the image isn't already local) and then pass the payloads into syft. We tend to push down much of the image parsing logic down into stereoscope, and it may be the case that much of the layer fetching and such would belong here (and not directly in grype). From a high level I think this would work great. From the next level of detail down there are some things that would still need to be figured out:
|
@wagoodman thanks for the detailed feedback! I am assuming we would require something similar for #519 where the SBOM is attached in the cosign format and introduce Alternatively, we could also possibly auto-detect if an image has cosign/buildpacks sbom based on image metadata. Potentially this auto-detect behavior can be guarded by a flag on the CLI/grype config file? Separately - is there any slack channel/IRC/preferred way of communication for grype/syft or would you prefer discussions/questions on the implementation for this in a draft PR or this issue? |
I believe so, yup. I might take a pulse on the various ways SBOMs are intersecting with all-things-OCI to see what makes sense from a naming-perspective for all of these new schemes.
We do have an auto-detect execution path if no scheme is given (so this wouldn't be an alternative per se). This could be amended to include cosign/buildpacks, but I think that's dependent on the specifics of the behavior here and if it works in the "default path", so probably TBD after the initial scheme work.
Chatting here on the issue, in our #general slack channel, collaborating on a draft PR directly, or joining on a zoom chat at our community meetings all work well --whichever you prefer works well for us 👍 . (side note: our first community meeting is this Thursday 🎉 , so the agenda is wide open ) |
Thanks, I will try to join the community meeting tomorrow and introduce myself and this issue to the wider community :) |
@wagoodman I have been looking into the source code for stereoscope and I have a few thoughts -
Given the above, would it instead be useful to have a flag (--buildpacks or --cnb) or an additional identifier to the scheme (something like docker-archive+cnb, docker+cnb, registry+cnb and so on)? I am hoping we can use the scheme of type This brings me to the following points -
I would imagine the series of steps of cosign would converge after step 5. I still have to give some thought around the interfaces we can use to denote an SBOM image attachment (whether through buildpacks or cosign or in the future through OCI attachments) and how to mark that as a collection of sbom files + metadata that can be passed back to syft to merge/generate packages from. And finally some missing pieces on how to create a generic interface for sbom merging in syft to handle merging in all of these cases. Does the above proposal look sane? |
Soft bump on this - we're putting this back into the backlog right now for one of the team members to pick up when we have the cycles. I really appreciate the work that has already been done on this: Steps for the feature:
|
What would you like to be added:
Buildpacks is a CNCF project that can create secure and minimal images from source code. It currently has a well-spec'd way of attaching SBOMs to the output image. Grype should use this information to load the attached image SBOMs for vuln. matching. See https://github.com/buildpacks/spec/blob/main/buildpack.md#software-bill-of-materials for the spec.
Why is this needed:
Buildpacks allow SBOM generation at build time. This leads to more accurate SBOMs generated by the same process that created the software artifact in the first place. We can use this information to create more accurate vuln reports.
Additional context:
Buildpacks currently support Syft, CycloneDx and SPDX SBOM formats. They also store an SBOM per layer. The SBOM blob is stored as a separate identifiable layer, so we don't even need to download the entire image to fetch the attached SBOMs.
Also related to #519, #481, #395, anchore/syft#631, anchore/syft#612 , buildpacks/spec#257, buildpacks/rfcs#195
The text was updated successfully, but these errors were encountered: