Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add sbom scanning command #89

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add sbom scanning command #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions .test/meta-commands/out.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,21 @@ jq '
' temp/index.json > temp/index.json.new
mv temp/index.json.new temp/index.json
# </build>
# <sbom_scan>
docker create --name img oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43@sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401
docker export img > img.tar
mkdir img
mkdir sbom
tar -xf img.tar -C img/
docker run \
-u root \
--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
-v ./sbom:/out \
-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
-e BUILDKIT_SCAN_DESTINATION=/out \
$BASHBREW_BUILDKIT_SBOM_GENERATOR
jq '.subject |= [{"name":"pkg:docker/docker:24.0.7-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24.0-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0.7-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}}]' sbom/sbom.spdx.json > sbom.json
# </sbom_scan>
# <push>
crane push temp 'oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43'
rm -rf temp
Expand Down Expand Up @@ -88,6 +103,21 @@ SOURCE_DATE_EPOCH=1700741054 \
--file 'Dockerfile' \
'https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/windows/windowsservercore-ltsc2022'
# </build>
# <sbom_scan>
docker create --name img oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e@sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce
docker export img > img.tar
mkdir img
mkdir sbom
tar -xf img.tar -C img/
docker run \
-u root \
--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
-v ./sbom:/out \
-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
-e BUILDKIT_SCAN_DESTINATION=/out \
$BASHBREW_BUILDKIT_SBOM_GENERATOR
jq '.subject |= [{"name":"pkg:docker/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0.7-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0.7-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}}]' sbom/sbom.spdx.json > sbom.json
# </sbom_scan>
# <push>
docker push 'oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e'
# </push>
Expand Down Expand Up @@ -174,6 +204,21 @@ done
jq -r --argjson sbomManifestDesc "$sbomManifestDesc" '.manifests += [ $sbomManifestDesc ]' temp/index.json > temp/index.json.new
mv temp/index.json.new temp/index.json
# </build>
# <sbom_scan>
docker create --name img oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f@sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0
docker export img > img.tar
mkdir img
mkdir sbom
tar -xf img.tar -C img/
docker run \
-u root \
--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
-v ./sbom:/out \
-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
-e BUILDKIT_SCAN_DESTINATION=/out \
$BASHBREW_BUILDKIT_SBOM_GENERATOR
jq '.subject |= [{"name":"pkg:docker/busybox:1.36.1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:stable?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:latest?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36.1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:stable-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36.1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:stable?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:latest?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36.1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:stable-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}}]' sbom/sbom.spdx.json > sbom.json
# </sbom_scan>
# <push>
crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'
rm -rf temp
Expand Down
56 changes: 56 additions & 0 deletions meta.jq
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,6 +369,61 @@ def build_command:
error("unknown/unimplemented Builder: \($builder)")
end
;

def subjects($digest):
[
($digest | split(":")) as $splitDigest
| (.source.arches[.build.arch].platformString) as $platform
| (
.source.arches[.build.arch].tags[],
.source.arches[.build.arch].archTags[],
.build.img,
empty # trailing comma
)
| {
# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
name: "pkg:docker/\(.)?platform=\($platform | @uri)",
digest: { ($splitDigest[0]): $splitDigest[1] },
}
]
;

# input: "build" object (with "buildId" top level key)
def image_digest:
.build.resolved.manifests[0].digest
;

# input: "build" object (with "buildId" top level key)
def image_ref:
"\(.build.img)@\(image_digest)"
;

# input: "build" object (with "buildId" top level key)
# output: string "command for generating an SBOM from an OCI layout", may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
def sbom_command:
[
"docker create --name img \(image_ref)",
"docker export img > img.tar",
"mkdir img",
"mkdir sbom",
"tar -xf img.tar -C img/",
(
[
"docker run",
"-u root",
"--mount type=bind,source=\"$(pwd)/img\",target=/run/src/core/sbom,readonly",
"-v ./sbom:/out",
"-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom",
"-e BUILDKIT_SCAN_DESTINATION=/out",
"$BASHBREW_BUILDKIT_SBOM_GENERATOR",
empty
] | join(" \\\n\t")
),
"jq '.subject |= \(subjects(image_digest))' sbom/sbom.spdx.json > sbom.json",
empty
] | join("\n")
;

# input: "build" object (with "buildId" top level key)
# output: string "push command" ("docker push ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
def push_command:
Expand Down Expand Up @@ -398,6 +453,7 @@ def commands:
{
pull: pull_command,
build: build_command,
sbom_scan: sbom_command,
push: push_command,
}
;
18 changes: 3 additions & 15 deletions provenance.jq
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
include "meta";

# input: "build" object with platform and image digest
# $github: "github" context; CONTAINS SENSITIVE INFORMATION (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context)
# $runner: "runner" context; https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#runner-context
Expand All @@ -9,21 +11,7 @@ def github_actions_provenance($github; $runner; $digest):
if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
{
_type: "https://in-toto.io/Statement/v1",
subject: [
($digest | split(":")) as $splitDigest
| (.source.arches[.build.arch].platformString) as $platform
| (
.source.arches[.build.arch].tags[],
.source.arches[.build.arch].archTags[],
.build.img,
empty # trailing comma
)
| {
# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
name: "pkg:docker/\(.)?platform=\($platform | @uri)",
digest: { ($splitDigest[0]): $splitDigest[1] },
}
],
subject: subjects($digest),
predicateType: "https://slsa.dev/provenance/v1",
predicate: {
buildDefinition: {
Expand Down