Create an "index SBOM" for multi-arch images #655
Labels
Comments
|
What should the "index" SBOM say is included? We already point to the base image(/index) we build on using the OCI annotations, is there something else we want to surface? If the index SBOM is just a collection of pointers to platform-specific SBOMs, we kind of already get that by virtue of the index being a collection of pointers to the images, which each themselves have SBOMs. (But I agree, let's defer to @puerco's expertise here 😄 ) |
|
This issue is stale because it has been open for 90 days with no |
|
Hopefully @puerco can provide an example of what we should be doing here. 🙏 |
|
@puerco DM'd me this, posting here so I don't lose it 🤩 {
"SPDXID": "SPDXRef-DOCUMENT",
"name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"spdxVersion": "",
"creationInfo": {
"created": "1970-01-01T00:00:00Z",
"creators": [
"Tool: apko (devel)",
"Organization: Chainguard, Inc"
],
"licenseListVersion": "3.16"
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://spdx.org/spdxdocs/apko/",
"documentDescribes": [
"sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
],
"packages": [
{
"SPDXID": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"name": "sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"versionInfo": "",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"description": "Multi-arch image index",
"downloadLocation": "",
"originator": "",
"sourceInfo": "Generated at build time by Chainguard apko",
"copyrightText": "NOASSERTION",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
}
]
}
],
"relationships": [
{
"spdxElementId": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "386-image-sbom"
},
{
"spdxElementId": "sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "amd64-image-sbom"
}
],
"externalDocumentRefs": [
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "SBOMDIGEST_GOES_HERE"
},
"externalDocumentId": "386-image-sbom",
"spdxDocument": ""
},
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "SBOMDIGEST_GOES_HERE"
},
"externalDocumentId": "amd64-image-sbom",
"spdxDocument": ""
}
]
} |
|
I just finished the first iteration in apko to generate the index sboms following that proposal. Here is a full exampl and some notes:
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"spdxVersion": "SPDX-2.2",
"creationInfo": {
"created": "1970-01-01T00:00:00Z",
"creators": [
"Tool: apko (devel)",
"Organization: Chainguard, Inc"
],
"licenseListVersion": "3.16"
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://spdx.org/spdxdocs/apko/",
"documentDescribes": [
"SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
],
"packages": [
{
"SPDXID": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"name": "172.19.0.1:5000/test-nosbom3@sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"description": "Multi-arch image index",
"sourceInfo": "Generated at image build time by apko",
"copyrightText": "NOASSERTION",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
}
],
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:oci/172.19.0.1:5000%2Ftest-nosbom3?mediaType=application%2Fvnd.oci.image.index.v1+json\u0026tag=latest",
"referenceType": "purl"
}
]
}
],
"relationships": [
{
"spdxElementId": "DocumentRef-386-image-sbom:SPDXRef-Package-sha256-d0370905ad41c4eb2b1a56f3139fd6a9acfcef203c27e2a9e1655eab28351fd6",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
},
{
"spdxElementId": "DocumentRef-amd64-image-sbom:SPDXRef-Package-sha256-b09ddd04b47e07919402c15ea21bf839a95f6bf38ec0df1594c296425010cf1a",
"relationshipType": "VARIANT_OF",
"relatedSpdxElement": "SPDXRef-Package-sha256-af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58"
}
],
"externalDocumentRefs": [
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c"
},
"externalDocumentId": "DocumentRef-386-image-sbom",
"spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:89ddcc4bd6e2b110aef37f0ba7ae5a638bf8c221a9ba8b618bba908c10324d1c"
},
{
"checksum": {
"algorithm": "SHA256",
"checksumValue": "ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c"
},
"externalDocumentId": "DocumentRef-amd64-image-sbom",
"spdxDocument": "https://172.19.0.1:5000/v2/test-nosbom3/blobs/sha256:ff76954b0ade75e2b0c450696c73cc521ef94c94785d30c03c5d624217d2797c"
}
]
} |
|
For the JSON migration, there are types here: https://github.com/kubernetes-sigs/bom/blob/main/pkg/spdx/json/v2.2.2/types.go |
mattmoor
added a commit
to mattmoor/ko
that referenced
this issue
Jul 1, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
mattmoor
added a commit
to mattmoor/ko
that referenced
this issue
Jul 1, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
mattmoor
added a commit
to mattmoor/ko
that referenced
this issue
Jul 1, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
mattmoor
added a commit
to mattmoor/ko
that referenced
this issue
Jul 5, 2022
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs. Related: ko-build#655
mattmoor
added a commit
that referenced
this issue
Jul 5, 2022
|
Here's a reference for the CycloneDX side of things: chainguard-dev/apko#274 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, as associate SBOMs with each of the constituent images in a multi-arch image, but we do not associate an SBOM with the top-level "index" manifest.
I was talking to @puerco about this (as well as #654).
Like the manifest list itself, I believe this would be a relatively thin SBOM that somehow referenced the constituent SBOMs (maybe in the same way as the linked issue?), but I defer to @puerco as the expert on the best practices here.
The text was updated successfully, but these errors were encountered: