New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix image structure in apko SBOMs #251
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit moves the construction of packages describing layers and apks to their own functions. This allows them to be reused. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
We now really use the option WantSBOM Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
In order to reuse it, we now make the tarball name deterministic to ensure we can always know it, even if we lose it. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit adds a new function to the OCI package: PostAttachSBOM this function will now attach an sbom to an already published image. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
The options package now handles the definition and creation of the temporary directory. This commit switched the tarball creation paths to use the new directories handled by the options object. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
We now generate the individual image sboms after the push. We do this to know the digest of the indidual images which need for the sboms. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit renames the ImageInfo.Digest sbom option to ImageInfo.LayerDigest which is more descriptive and less ambiguous. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Add a new options field named ImageDigest to pass the image digest all the way down to the sbom generators. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit fixes the image sboms. When generating a full image (ie through apko publish) apko will now wrap the layer in a new package describing the image. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit modifies the way we name the apko layer package to name it as the layer reference in line with best practices. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit fixes a panic when writing the apko build sboms where nothing was beign built and ggcr would panic with a nil layer object. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit fixes the images SBOM in cycloneDX to generate the correct component in component structure. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
After fixing the signature of functions that generate the layers and images, we now route the sbom paths correctly to scratch in the same temporary directory. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
kaniini
suggested changes
Jun 29, 2022
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
The loops for building one and multiple images are not divergent enough to warrant a block of their own. This commit removes the switch to simplify the publish cli. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
kaniini
previously approved these changes
Jun 29, 2022
puerco
dismissed
kaniini’s stale review
June 29, 2022 20:34
Dismiss this review to try to retrigger CI
This commit adds a new --sbom flag to apko publish and wires it to the options.WantSBOM field which is now working and was previously ignored. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
kaniini
approved these changes
Jun 29, 2022
GH UI seems to be acting up. Here's the mink e2e successful run: https://github.com/chainguard-dev/apko/runs/7120080211?check_suite_focus=true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements proper image structure in the individual apko images. Both CycloneDX and SPDX have been updated to capture the structure of the images. The biggest change is when running
apko publish
:It is a big refactor as the SBOM generation is now done after publishing the images and the SBOM is now attached at the end of the publish function.
Easiest to visualize it by looking at the sboms. This is before the change:
This is after the change:
There are other minor changes, each commit captures the changes as atomic as I could.
Fixes #225