nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

generate SBOM both SPDX and Cyclone DX formats based for container images and attach em by using cosign attach

Open developer-guy opened this issue 4 years ago • 13 comments

We (w/@dentrax) thought that Syft is a popular tool to allows us to generate SBOMs easily and quickly. Even GoReleaser project using syft under the hood to generate an SBOM. We have recently added cosign support to sign and verify container images while building/pushing and pulling in nerdctl. So, cosign has SBOM spec defined to let people attach SBOM (both SPDX and Cyclone DX formats) files to container images by using cosign attach command.

So, let's add that support to the nerdctl CLI too. We can generate an SBOM file while pushing the container image, then attach the SBOM file to it.

WDYT?

cc: @dlorenc @AkihiroSuda @luhring @wagoodman

developer-guy avatar Jan 05 '22 16:01 developer-guy

How will the CLI look like?

AkihiroSuda avatar Jan 05 '22 16:01 AkihiroSuda

IMHO, an --sbom flag should cover all the things and can accept both spdx, and cyclonedx as a value. So, the command will look like the following:

$ nerdctl image push -t <foo> --sbom <spdx|cyclonedx> .

~~AFAIK, Syft can only generate an SBOM file based on SPDX format, so we can use another tool cylonedx-go to generate an SBOM file based on Cyclone DX format.~~

Syft can generate an SBOM file for both formats.

developer-guy avatar Jan 05 '22 17:01 developer-guy

We don't have to use syft as an executable way, I've recently asked @wagoodman to give us an example of how to use syft as a Go module, thanks to him, he created a gist for it.

👉 https://gist.github.com/wagoodman/57ed59a6d57600c23913071b8470175b

developer-guy avatar Feb 09 '22 10:02 developer-guy

kinly ping @AkihiroSuda @Dentrax

developer-guy avatar May 19 '22 10:05 developer-guy

Probably the CLI and the output format should be compatible with https://github.com/docker/sbom-cli-plugin

AkihiroSuda avatar May 19 '22 10:05 AkihiroSuda

it will be because they use Syft too under the hood

developer-guy avatar May 19 '22 10:05 developer-guy

There are two ways of developing this feature. The first is executing the Syft binary as we did while implementing the signing feature by performing the cosign binary. The latter depends on Syft packages by adding it to the go.mod file. Syft binary is about 60MB in size, btw.

developer-guy avatar May 24 '22 19:05 developer-guy

Kindly ping @AkihiroSuda

developer-guy avatar Jun 06 '22 19:06 developer-guy

Executing a separate syft binary is preferable

AkihiroSuda avatar Jun 07 '22 00:06 AkihiroSuda

If we maintain separate syft executable internally, I think it would be better to start related flags with --syft- prefix.

$ nerdctl image push -t <IMAGE> --sbom-format <SPDX|CYCLONEDX> --sbom-attach --sbom-output /path/to/file

User may want to either attach SBOM directly to upstream or export the local disk. All flags are optional.

Cross ref: https://github.com/anchore/syft/issues/592

cc @developer-guy @luhring

Dentrax avatar Jun 13 '22 20:06 Dentrax

Syft is also capable of attaching an SBOM result^1 in the form of in-toto attestations^2 with its new command called attest^3, and this command also signs the SBOM result and then uploads it to the transparency log. We might also prefer to support this behavior.

developer-guy avatar Jun 13 '22 20:06 developer-guy

kindly ping sir @AkihiroSuda

developer-guy avatar Aug 28 '22 09:08 developer-guy

kindly ping sir @AkihiroSuda

https://github.com/containerd/nerdctl/issues/669#issuecomment-1131525143 https://github.com/containerd/nerdctl/issues/669#issuecomment-1148069599

AkihiroSuda avatar Sep 03 '22 18:09 AkihiroSuda

Looks like there's been some progress in this aspect with pluggable SBOM generators: https://github.com/docker/buildkit-syft-scanner/tree/master . Docker CLI relies on a flag to attach the SBOM. I think making the image customizable would allow nerdctl to help with forward compatibility as I'm sure there'll be other adapters in the future. Similarly, we can have SLSA provenance enabled(maybe even by default with mode=min?). More than happy to contribute to this :)

RealHarshThakur avatar Sep 07 '23 13:09 RealHarshThakur

Looks like there's been some progress in this aspect with pluggable SBOM generators: https://github.com/docker/buildkit-syft-scanner/tree/master . Docker CLI relies on a flag to attach the SBOM. I think making the image customizable would allow nerdctl to help with forward compatibility as I'm sure there'll be other adapters in the future. Similarly, we can have SLSA provenance enabled(maybe even by default with mode=min?). More than happy to contribute to this :)

:+1: How will the CLI look like?

AkihiroSuda avatar Sep 07 '23 13:09 AkihiroSuda

The current docker command is this, so a flag: build --sbom=true. I think we can remain docker-like in that aspect and have an environment variable that determines which SBOM plugin generator image users would like to use to generate SBOMs, default to the one Docker uses for now.

RealHarshThakur avatar Sep 07 '23 13:09 RealHarshThakur

The current docker command is this, so a flag: build --sbom=true. I think we can remain docker-like in that aspect and have an environment variable that determines which SBOM plugin generator image users would like to use to generate SBOMs, default to the one Docker uses for now.

SGTM

AkihiroSuda avatar Sep 07 '23 13:09 AkihiroSuda