Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOMs using Syft instead of bom #32307

Merged
merged 1 commit into from
May 15, 2024
Merged

Generate SBOMs using Syft instead of bom #32307

merged 1 commit into from
May 15, 2024

Conversation

ferozsalam
Copy link
Contributor

@ferozsalam ferozsalam commented May 2, 2024
edited
Loading

Syft (https://github.com/anchore/syft) appears to offer higher quality results, including being able to identify the versions of individual libraries in golang binaries, which is not something that we were able to do efficiently with bom.

Syft can also generate the SBOMs in spdx-json format, which was a pending TODO from our initial implementation of SBOM generation.

I have successfully run the proposed workflow (with some tweaks to ensure the correct code triggers) here: https://github.com/cilium/cilium/actions/runs/8930115426/job/24529471140?pr=32307.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 2, 2024
@ferozsalam ferozsalam added the release-note/misc This PR makes changes that have no direct user impact. label May 2, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 2, 2024
@ferozsalam ferozsalam force-pushed the pr/feroz/syft-sbom-generation branch 8 times, most recently from 47767be to db2488a Compare May 3, 2024 14:12
@ferozsalam
Copy link
Contributor Author

@joestringer @aanm @nbusseneau – marked this as draft for now, if the changes so far look OK to you, I will extend this to the other image build steps and update our current SBOM documentation.

@joestringer joestringer added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed release-note/misc This PR makes changes that have no direct user impact. labels May 3, 2024
@joestringer
Copy link
Member

The approach looks pretty straightforward to me 👍

Given that users may be leveraging SBOM and the format would change, I bumped this to release-note/minor.

At a glance we may need to update some other docs files to account for the format change:

$ git grep -li sbom
.github/workflows/build-images-base.yaml
.github/workflows/build-images-beta.yaml
.github/workflows/build-images-ci.yaml
.github/workflows/build-images-hotfixes.yaml
.github/workflows/build-images-releases.yaml
Documentation/configuration/index.rst
Documentation/configuration/sbom.rst
README.rst
SECURITY-INSIGHTS.yml

@ferozsalam ferozsalam force-pushed the pr/feroz/syft-sbom-generation branch from db2488a to 9a3abe3 Compare May 14, 2024 13:48
@ferozsalam
Generate SBOMs using Syft instead of bom
42dee36 
Syft appears to offer higher quality results, including being able to identify
the versions of individual libraries in golang binaries, which is not something
that we were able to do efficiently with `bom`.

Syft can also generate the SBOMs in spdx-json format, which was a pending TODO
from our initial implementation of SBOM generation.

Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
@ferozsalam ferozsalam force-pushed the pr/feroz/syft-sbom-generation branch from 9a3abe3 to 42dee36 Compare May 14, 2024 13:51
@ferozsalam ferozsalam marked this pull request as ready for review May 14, 2024 13:54
@ferozsalam ferozsalam requested review from a team as code owners May 14, 2024 13:54
sayboras
sayboras approved these changes May 15, 2024
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@ferozsalam
Copy link
Contributor Author

/test

@joestringer joestringer added this pull request to the merge queue May 15, 2024
Merged via the queue into main with commit 57db22b May 15, 2024
64 checks passed
@joestringer joestringer deleted the pr/feroz/syft-sbom-generation branch May 15, 2024 17:12
@ferozsalam ferozsalam added backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch and removed backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. labels May 16, 2024
@YutaroHayakawa YutaroHayakawa mentioned this pull request May 23, 2024
Merged
15 tasks
@YutaroHayakawa YutaroHayakawa added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels May 23, 2024
This was referenced May 24, 2024
Merged
Merged
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels May 25, 2024
@ferozsalam ferozsalam removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels May 27, 2024
This was referenced May 28, 2024
Merged
Open
@julianwiedmann julianwiedmann added the backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. label May 30, 2024
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@aanm aanm aanm approved these changes

@sayboras sayboras sayboras approved these changes

@nbusseneau nbusseneau Awaiting requested review from nbusseneau

Assignees
No one assigned
Labels
backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
No open projects
cilium v1.15.6
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ferozsalam @joestringer @aanm @sayboras @YutaroHayakawa @julianwiedmann