Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added attestation from intermediate multi-stage build steps #668

Merged
merged 1 commit into from
Oct 3, 2023
Merged

Added attestation from intermediate multi-stage build steps #668

merged 1 commit into from
Oct 3, 2023

Conversation

LaurentGoderre
Copy link
Member

@LaurentGoderre LaurentGoderre commented Sep 20, 2023
edited
Loading

This is what gets added:

{
  ...
  "AdditionalSPDXs": [
    {
      "SPDXID": "SPDXRef-DOCUMENT",
      "creationInfo": {
        "created": "2023-09-20T19:45:23Z",
        "creators": [
          "Organization: Docker, Inc",
          "Tool: docker-scout-0.24.1-2-gd3f9c2d"
        ]
      },
      "dataLicense": "CC0-1.0",
      "documentNamespace": "https://docker.com/docker-scout/fs/sbom-build-base-8ea53ed2-8747-4506-a95c-13345f58135c",
      "name": "sbom-build-base",
      "files": [...],
      "packages": [...],
      "relationships": [...],
      "spdxVersion": "SPDX-2.3"
    },
    {
      "SPDXID": "SPDXRef-DOCUMENT",
      "creationInfo": {
        "created": "2023-09-20T19:45:24Z",
        "creators": [
          "Organization: Docker, Inc",
          "Tool: docker-scout-0.24.1-2-gd3f9c2d"
        ]
      },
      "dataLicense": "CC0-1.0",
      "documentNamespace": "https://docker.com/docker-scout/fs/sbom-erlang-builder-12ef2ee7-9522-44c7-8a04-3de591c23097",
      "name": "sbom-erlang-builder",
      "files": [...],
      "packages": [...],
      "relationships": [...],
      "spdxVersion": "SPDX-2.3"
    }
  ]
}

@lukebakken lukebakken self-assigned this Sep 20, 2023
@lukebakken
Copy link
Collaborator

Thanks for the contribution.

What benefit does this have for users of this Docker image?

@LaurentGoderre
Copy link
Member Author

This is part of Docker's work to secure the software supply chain (I work with @tianon @ docker)

@LaurentGoderre
Copy link
Member Author

@lukebakken Im a bit new to this so I had to take sa bit of time to find the best way to explain the change,

This changes doesn't affect the content of the image but rather is helping get more metadata about how the image is generated by adding more SBOM attestation.

Let me know if that makes sense.

@lukebakken
Copy link
Collaborator

Sure, I googled BUILDKIT_SBOM_SCAN_STAGE when you opened the PR. I figure @tianon can review this PR. Seems fine to me otherwise.

yosifkit
yosifkit reviewed Sep 21, 2023
View reviewed changes
Dockerfile-ubuntu.template
@@ -145,6 +149,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version

FROM openssl-builder as erlang-builder

ARG BUILDKIT_SBOM_SCAN_STAGE=true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the erlang-builder stage needs its SBOM captured since it is from the previous stage, openssl-builder, which is from the previous one, build-base, so having all three would just add duplication in the final SBOM.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that the base doesn't need them but the end image pull files from both the openssl-builder and erlang-builder image so I think they both need to have it

@LaurentGoderre
Copy link
Member Author

Updated by moving the scanning to the openssl layer in Alpine

@LaurentGoderre LaurentGoderre changed the title Added attestation from intermediate multi-stage build steps Added attestation from intermediate multi-stage build steps and binaries built from source Sep 25, 2023
@LaurentGoderre LaurentGoderre changed the title Added attestation from intermediate multi-stage build steps and binaries built from source Added attestation from intermediate multi-stage build steps Sep 25, 2023
whalelines
whalelines approved these changes Oct 3, 2023
View reviewed changes
Copy link

@whalelines whalelines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LaurentGoderre LaurentGoderre merged commit 1078026 into docker-library:master Oct 3, 2023
17 checks passed
@LaurentGoderre LaurentGoderre deleted the more-sbom branch October 3, 2023 16:57
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 3, 2023
@docker-library-bot
Update rabbitmq
fa74938 
Changes:

- docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 3, 2023
@docker-library-bot
Update rabbitmq
98c7a0c 
Changes:

- docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2
- docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
- docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source
- docker-library/rabbitmq@215db22: fixup
- docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 4, 2023
@docker-library-bot
Update rabbitmq
8e806ae 
Changes:

- docker-library/rabbitmq@b2387a8: Merge pull request docker-library/rabbitmq#670 from LaurentGoderre/remove-heredoc
- docker-library/rabbitmq@6e58700: Stop using HEREDOC for SBOM attestation because it breaks the DOI builds
- docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2
- docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
- docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source
- docker-library/rabbitmq@215db22: fixup
- docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yosifkit yosifkit yosifkit left review comments

@whalelines whalelines whalelines approved these changes

@lukebakken lukebakken lukebakken approved these changes

@tianon tianon Awaiting requested review from tianon

Assignees

@lukebakken lukebakken

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LaurentGoderre @lukebakken @yosifkit @whalelines