Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added attestation from intermediate multi-stage build steps #668

Merged
merged 1 commit into from
Oct 3, 2023

Conversation

LaurentGoderre
Copy link
Member

@LaurentGoderre LaurentGoderre commented Sep 20, 2023

This is what gets added:

{
  ...
  "AdditionalSPDXs": [
    {
      "SPDXID": "SPDXRef-DOCUMENT",
      "creationInfo": {
        "created": "2023-09-20T19:45:23Z",
        "creators": [
          "Organization: Docker, Inc",
          "Tool: docker-scout-0.24.1-2-gd3f9c2d"
        ]
      },
      "dataLicense": "CC0-1.0",
      "documentNamespace": "https://docker.com/docker-scout/fs/sbom-build-base-8ea53ed2-8747-4506-a95c-13345f58135c",
      "name": "sbom-build-base",
      "files": [...],
      "packages": [...],
      "relationships": [...],
      "spdxVersion": "SPDX-2.3"
    },
    {
      "SPDXID": "SPDXRef-DOCUMENT",
      "creationInfo": {
        "created": "2023-09-20T19:45:24Z",
        "creators": [
          "Organization: Docker, Inc",
          "Tool: docker-scout-0.24.1-2-gd3f9c2d"
        ]
      },
      "dataLicense": "CC0-1.0",
      "documentNamespace": "https://docker.com/docker-scout/fs/sbom-erlang-builder-12ef2ee7-9522-44c7-8a04-3de591c23097",
      "name": "sbom-erlang-builder",
      "files": [...],
      "packages": [...],
      "relationships": [...],
      "spdxVersion": "SPDX-2.3"
    }
  ]
}

@lukebakken
Copy link
Collaborator

Thanks for the contribution.

What benefit does this have for users of this Docker image?

@LaurentGoderre
Copy link
Member Author

This is part of Docker's work to secure the software supply chain (I work with @tianon @ docker)

@LaurentGoderre
Copy link
Member Author

@lukebakken Im a bit new to this so I had to take sa bit of time to find the best way to explain the change,

This changes doesn't affect the content of the image but rather is helping get more metadata about how the image is generated by adding more SBOM attestation.

Let me know if that makes sense.

@lukebakken
Copy link
Collaborator

Sure, I googled BUILDKIT_SBOM_SCAN_STAGE when you opened the PR. I figure @tianon can review this PR. Seems fine to me otherwise.

@@ -145,6 +149,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version

FROM openssl-builder as erlang-builder

ARG BUILDKIT_SBOM_SCAN_STAGE=true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the erlang-builder stage needs its SBOM captured since it is from the previous stage, openssl-builder, which is from the previous one, build-base, so having all three would just add duplication in the final SBOM.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that the base doesn't need them but the end image pull files from both the openssl-builder and erlang-builder image so I think they both need to have it

@LaurentGoderre
Copy link
Member Author

Updated by moving the scanning to the openssl layer in Alpine

@LaurentGoderre LaurentGoderre changed the title Added attestation from intermediate multi-stage build steps Added attestation from intermediate multi-stage build steps and binaries built from source Sep 25, 2023
@LaurentGoderre LaurentGoderre changed the title Added attestation from intermediate multi-stage build steps and binaries built from source Added attestation from intermediate multi-stage build steps Sep 25, 2023
Copy link

@whalelines whalelines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LaurentGoderre LaurentGoderre merged commit 1078026 into docker-library:master Oct 3, 2023
@LaurentGoderre LaurentGoderre deleted the more-sbom branch October 3, 2023 16:57
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 3, 2023
Changes:

- docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 3, 2023
Changes:

- docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2
- docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
- docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source
- docker-library/rabbitmq@215db22: fixup
- docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 4, 2023
Changes:

- docker-library/rabbitmq@b2387a8: Merge pull request docker-library/rabbitmq#670 from LaurentGoderre/remove-heredoc
- docker-library/rabbitmq@6e58700: Stop using HEREDOC for SBOM attestation because it breaks the DOI builds
- docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2
- docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
- docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source
- docker-library/rabbitmq@215db22: fixup
- docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants