Skip to content

feat(sbom): Expose sbom main component to attestations #1647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 12, 2024
Merged

feat(sbom): Expose sbom main component to attestations #1647

merged 3 commits into from
Dec 12, 2024

Conversation

@javirln
Copy link
Member

@javirln javirln commented Dec 12, 2024
edited
Loading

This patch make changes so when adding a SBOM_CYCLONEDX_JSON material type the CLI extracts the main component the sbom is related to and exposes it at the attestation level by using an annotation.

If the sbom being inspected is related to a OCI image, it standardizes the repository name and if not, just adds the main component name as it is.

Example of attestation:

"materials": [
         {
            "annotations": {
               "chainloop.material.cas.inline": true,
               "chainloop.material.name": "material-1734016181713664000",
               "chainloop.material.sbom.main_component.name": "index.docker.io/bitnami/wordpress",
               "chainloop.material.sbom.main_component.type": "container",
               "chainloop.material.sbom.main_component.version": "6.7.1-debian-12-r5",
               "chainloop.material.type": "SBOM_CYCLONEDX_JSON"
            },
            "digest": {
               "sha256": "25025ad29584ea25ccdedb4fbed2e2eabfb2398f4e1773819451c5a39d0f8cb1"
            },
            "name": "o.json"
         }
      ],

As we can see, we have detected the above sbom is related to a OCI image, bitnami/wordpress.

Close #1311

@javirln
feat(sbom): Expose sbom main component to attestations
1c283d7 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
include more information for main components
7fb1527 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln self-assigned this Dec 12, 2024
@javirln javirln requested review from jiparis and migmartri and removed request for jiparis December 12, 2024 15:10
@javirln javirln marked this pull request as ready for review December 12, 2024 15:11
@javirln
fix tests
df79f6d 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
migmartri
migmartri approved these changes Dec 12, 2024
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

@javirln javirln merged commit 78b9b68 into chainloop-dev:main Dec 12, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis jiparis approved these changes

Assignees

@javirln javirln

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

expose SBOM component in the attestation

3 participants

@javirln @migmartri @jiparis