New SBOM generation process #487

flavio · 2023-07-25T10:12:35Z

Use syft to produce bill or materials of the container image contents and the application itself.

Ensure each architecture-specific build has its own SBOM, signed and attached to the specific image.

Also, attach to the GH release the SBOM of each container image being built.

GH actions

A preview of the results produced by the this new approach can be found here:

Push against main: GH run. The run now has a sbom artifact, this contains the spdx files and all their signatures
New tag:
- GH run. The run failed because it couldn't perform the last release step: triggering the update of helm charts; this fine, since the tag happened inside of a fork
- GH release. We now have assets for both the arm64 and amd64 builds

Container images

Prior to this commit the SBOM was only generated for the x86_64 platform and was attached to the multi-architecture container image index manifest.

Prior to this change the SBOM was attached to the image index manifest:

cosign download sbom --output-file sbom.spdx ghcr.io/kubewarden/kubewarden-controller:v1.6.0
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: text/spdx

After this PR the SBOM is no longer attached to the image index:

WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.

This multiarch image does not have an SBOM attached at the index level.
Try using --platform with one of the following architectures:
linux/amd64, linux/arm64, unknown/unknown, unknown/unknown

Error: no SBOM found attached to image index
main.go:74: error during command execution: no SBOM found attached to image index

Instead, they are attached to the actual container images.

This is the amd64 SBOM:

cosign download sbom --output-file amd64-sbom.spdx ghcr.io/flavio/kubewarden-controller@$(crane digest --platform linux/amd64 ghcr.io/flavio/kubewarden-controller:v1.7.1)
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: text/spdx

While this one is the arm64 one:

cosign download sbom --output-file arm64-sbom.spdx ghcr.io/flavio/kubewarden-controller@$(crane digest --platform linux/arm64 ghcr.io/flavio/kubewarden-controller:v1.7.1)
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: text/spdx

Use syft to produce bill or materials of the container image and the application itself. Ensure each architecture-specific build has its own SBOM, signed and attached to the specific image. Also, attach to the GH release the SBOM of each container image being built. Prior to this commit the SBOM was only generated for the x86_64 platform and was attached to the multi-architecture container image index manifest. Signed-off-by: Flavio Castelli <[email protected]>

flavio · 2023-07-25T10:14:02Z

@viccuad iterating over the controller was faster than doing that against policy-server. Once merged I'll propagate these changes made to the GH workflows to the new build proposal I created against the policy-server repo

.github/workflows/container-build.yml

.github/workflows/sbom.yml

viccuad

Looks good, I like it! Quite an improvement!

viccuad · 2023-07-25T10:37:17Z

.github/workflows/release.yml

+              'kubewarden-controller-sbom-arm64.spdx',
+              'kubewarden-controller-sbom-arm64.spdx.cert',
+              'kubewarden-controller-sbom-arm64.spdx.sig',
+              "CRDS.tar.gz"]


(opening thread here randomly)

Unrelated to this PR, but,
What happens if the release fails on triggering the helm-charts repo?
We can retrigger the job, without rebuilding and overwriting the release, correct?
I wouldn't like to release something and later overwrite the same release version with different artifacts.

We could try to rerun only the failed job, that's an option. Otherwise I fear we will have to either manually create the PR that updates the helm chart or tag a new patch release

I'm happy just re-triggering the job that is in your fork as it is, to see what happens.

Signed-off-by: Flavio Castelli <[email protected]>

flavio · 2023-07-25T14:30:09Z

@viccuad please take a look at the last commit I just pushed. It addresses your feedback, plus it brings back image signing

viccuad

LGTM, thanks for the changes!

flavio requested a review from a team as a code owner July 25, 2023 10:12

flavio requested a review from viccuad July 25, 2023 10:13