diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
index cf8cc9a..cf27779 100644
--- a/.test/meta-commands/out.sh
+++ b/.test/meta-commands/out.sh
@@ -53,6 +53,21 @@ jq '
' temp/index.json > temp/index.json.new
mv temp/index.json.new temp/index.json
#
+#
+docker create --name img oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43@sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401
+docker export img > img.tar
+mkdir img
+mkdir sbom
+tar -xf img.tar -C img/
+docker run \
+ -u root \
+ --mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
+ -v ./sbom:/out \
+ -e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
+ -e BUILDKIT_SCAN_DESTINATION=/out \
+ $BASHBREW_BUILDKIT_SBOM_GENERATOR
+jq '.subject |= [{"name":"pkg:docker/docker:24.0.7-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24.0-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0.7-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}}]' sbom/sbom.spdx.json > sbom.json
+#
#
crane push temp 'oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43'
rm -rf temp
@@ -88,6 +103,21 @@ SOURCE_DATE_EPOCH=1700741054 \
--file 'Dockerfile' \
'https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/windows/windowsservercore-ltsc2022'
#
+#
+docker create --name img oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e@sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce
+docker export img > img.tar
+mkdir img
+mkdir sbom
+tar -xf img.tar -C img/
+docker run \
+ -u root \
+ --mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
+ -v ./sbom:/out \
+ -e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
+ -e BUILDKIT_SCAN_DESTINATION=/out \
+ $BASHBREW_BUILDKIT_SBOM_GENERATOR
+jq '.subject |= [{"name":"pkg:docker/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0.7-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0.7-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}}]' sbom/sbom.spdx.json > sbom.json
+#
#
docker push 'oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e'
#
@@ -174,6 +204,21 @@ done
jq -r --argjson sbomManifestDesc "$sbomManifestDesc" '.manifests += [ $sbomManifestDesc ]' temp/index.json > temp/index.json.new
mv temp/index.json.new temp/index.json
#
+#
+docker create --name img oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f@sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0
+docker export img > img.tar
+mkdir img
+mkdir sbom
+tar -xf img.tar -C img/
+docker run \
+ -u root \
+ --mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
+ -v ./sbom:/out \
+ -e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
+ -e BUILDKIT_SCAN_DESTINATION=/out \
+ $BASHBREW_BUILDKIT_SBOM_GENERATOR
+jq '.subject |= [{"name":"pkg:docker/busybox:1.36.1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:stable?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:latest?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36.1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:stable-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36.1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:stable?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:latest?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36.1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:stable-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}}]' sbom/sbom.spdx.json > sbom.json
+#
#
crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'
rm -rf temp
diff --git a/meta.jq b/meta.jq
index 947531e..a62cfd2 100644
--- a/meta.jq
+++ b/meta.jq
@@ -369,6 +369,61 @@ def build_command:
error("unknown/unimplemented Builder: \($builder)")
end
;
+
+def subjects($digest):
+ [
+ ($digest | split(":")) as $splitDigest
+ | (.source.arches[.build.arch].platformString) as $platform
+ | (
+ .source.arches[.build.arch].tags[],
+ .source.arches[.build.arch].archTags[],
+ .build.img,
+ empty # trailing comma
+ )
+ | {
+ # https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
+ name: "pkg:docker/\(.)?platform=\($platform | @uri)",
+ digest: { ($splitDigest[0]): $splitDigest[1] },
+ }
+ ]
+;
+
+# input: "build" object (with "buildId" top level key)
+def image_digest:
+ .build.resolved.manifests[0].digest
+;
+
+# input: "build" object (with "buildId" top level key)
+def image_ref:
+ "\(.build.img)@\(image_digest)"
+;
+
+# input: "build" object (with "buildId" top level key)
+# output: string "command for generating an SBOM from an OCI layout", may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
+def sbom_command:
+ [
+ "docker create --name img \(image_ref)",
+ "docker export img > img.tar",
+ "mkdir img",
+ "mkdir sbom",
+ "tar -xf img.tar -C img/",
+ (
+ [
+ "docker run",
+ "-u root",
+ "--mount type=bind,source=\"$(pwd)/img\",target=/run/src/core/sbom,readonly",
+ "-v ./sbom:/out",
+ "-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom",
+ "-e BUILDKIT_SCAN_DESTINATION=/out",
+ "$BASHBREW_BUILDKIT_SBOM_GENERATOR",
+ empty
+ ] | join(" \\\n\t")
+ ),
+ "jq '.subject |= \(subjects(image_digest))' sbom/sbom.spdx.json > sbom.json",
+ empty
+ ] | join("\n")
+;
+
# input: "build" object (with "buildId" top level key)
# output: string "push command" ("docker push ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
def push_command:
@@ -398,6 +453,7 @@ def commands:
{
pull: pull_command,
build: build_command,
+ sbom_scan: sbom_command,
push: push_command,
}
;
diff --git a/provenance.jq b/provenance.jq
index 3e419fc..8610349 100644
--- a/provenance.jq
+++ b/provenance.jq
@@ -1,3 +1,5 @@
+include "meta";
+
# input: "build" object with platform and image digest
# $github: "github" context; CONTAINS SENSITIVE INFORMATION (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context)
# $runner: "runner" context; https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#runner-context
@@ -9,21 +11,7 @@ def github_actions_provenance($github; $runner; $digest):
if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
{
_type: "https://in-toto.io/Statement/v1",
- subject: [
- ($digest | split(":")) as $splitDigest
- | (.source.arches[.build.arch].platformString) as $platform
- | (
- .source.arches[.build.arch].tags[],
- .source.arches[.build.arch].archTags[],
- .build.img,
- empty # trailing comma
- )
- | {
- # https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
- name: "pkg:docker/\(.)?platform=\($platform | @uri)",
- digest: { ($splitDigest[0]): $splitDigest[1] },
- }
- ],
+ subject: subjects($digest),
predicateType: "https://slsa.dev/provenance/v1",
predicate: {
buildDefinition: {