From ca065f9702e554fbd8e5db1c5efb94d3bfdc0b65 Mon Sep 17 00:00:00 2001 From: dtrai2 <95028228+dtrai2@users.noreply.github.com> Date: Tue, 17 Dec 2024 12:04:22 +0100 Subject: [PATCH] add SBOM to images (#730) * add SBOM to images * attach attestation using cosign * add container sbom verification to README.md * add sbom attestation to release pipeline * add trivy scan to release --- .github/workflows/ci.yml | 34 ++++++++------ .github/workflows/publish-release-to-pypi.yml | 38 +++++++++++++++- CHANGELOG.md | 3 +- README.md | 44 ++++++++++++++++++- 4 files changed, 102 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 081dd2008..d1acc1835 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -140,6 +140,27 @@ jobs: tags: | ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Create SBOM of container image + uses: anchore/sbom-action@v0 + with: + image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }} + artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json + output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json + + - name: Sign image with a key and add sbom attestation + run: | + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} + cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # To avoid the trivy-db becoming outdated, we save the cache for one day - name: Get date id: date @@ -167,16 +188,3 @@ jobs: # So we need to change the permissions before caching the database. - name: Change permissions for trivy.db run: sudo chmod 0644 ./cache/db/trivy.db - - - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 - with: - cosign-release: 'v2.4.1' - - - name: Sign image with a key - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml index 878408596..e5057661e 100644 --- a/.github/workflows/publish-release-to-pypi.yml +++ b/.github/workflows/publish-release-to-pypi.yml @@ -96,10 +96,46 @@ jobs: with: cosign-release: 'v2.4.1' - - name: Sign image with a key + - name: Create SBOM of container image + uses: anchore/sbom-action@v0 + with: + image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }} + artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json + output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json + + - name: Sign image with a key and add sbom attestation run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} + cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} DIGEST: ${{ steps.build-and-push.outputs.digest }} + + # To avoid the trivy-db becoming outdated, we save the cache for one day + - name: Get date + id: date + run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT + + - name: Restore trivy cache + uses: actions/cache@v4 + with: + path: cache/db + key: trivy-cache-${{ steps.date.outputs.date }} + restore-keys: + trivy-cache- + + - name: Scan image using Trivy + uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_CACHE_DIR: ./cache + with: + scan-type: image + image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} + trivy-config: trivy.yaml + + # Trivy-db uses `0600` permissions. + # But `action/cache` use `runner` user by default + # So we need to change the permissions before caching the database. + - name: Change permissions for trivy.db + run: sudo chmod 0644 ./cache/db/trivy.db diff --git a/CHANGELOG.md b/CHANGELOG.md index 72ea1f9b2..903a26ea8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,8 @@ the list is now fixed inside the packaged logprep * remove `tldextract` dependency * remove `urlextract` dependency * fix wrong documentation for `timestamp_differ` -* add container signatures to image build inside ci pipeline +* add container signatures to images build in ci pipeline +* add sbom to images build in ci pipeline ### Bugfix diff --git a/README.md b/README.md index 67d9ae108..6d42602df 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ allowing further applications besides log handling. - [Event Generation](https://logprep.readthedocs.io/en/latest/user_manual/execution.html#event-generation) - [Documentation](https://logprep.readthedocs.io/en/latest) - [Container signatures](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-signatures) +- [Container SBOM](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-sbom) - [Contributing](https://github.com/fkie-cad/Logprep/blob/main/CONTRIBUTING.md) - [License](https://github.com/fkie-cad/Logprep/blob/main/LICENSE) - [Changelog](https://github.com/fkie-cad/Logprep/blob/main/CHANGELOG.md) @@ -243,7 +244,8 @@ A HTML documentation can be then found in `doc/_build/html/index.html`. ## Container signatures -From release 15 on, Logprep containers are signed using the cosign tool. +From release 15 on, Logprep containers are signed using the +[cosign](https://github.com/sigstore/cosign) tool. To verify the container, you can copy the following public key into a file `logprep.pub`: @@ -257,5 +259,43 @@ kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA== And use it to verify the signature: ``` -cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest +cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:py3.11-latest +``` + +The output should look like: + +``` +Verification for ghcr.io/fkie-cad/logprep:py3.11-latest -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The signatures were verified against the specified public key + +[{"critical":{"identity":{"docker-reference":"ghcr.io/fkie-cad/logprep"}, ... +``` + +## Container SBOM + +From release 15 on, Logprep container images are shipped with a generated sbom. +To verify the attestation and extract the SBOM use +[cosign](https://github.com/sigstore/cosign) with: + +``` +cosign verify-attestation --key logprep.pub ghcr.io/fkie-cad/logprep:py3.11-latest | jq '.payload | @base64d | fromjson | .predicate | .Data | fromjson' > sbom.json +``` + +The output should look like: + +``` +Verification for ghcr.io/fkie-cad/logprep:py3.11-latest -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The signatures were verified against the specified public key +``` + +Finally, you can view the extracted sbom with: + +``` +cat sbom.json | jq ```