Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOMs are not being signed #1151

Open
mthalman opened this issue Jun 29, 2023 · 4 comments
Open

SBOMs are not being signed #1151

mthalman opened this issue Jun 29, 2023 · 4 comments
Labels
area-infrastructure bug

Comments

@mthalman
Copy link
Member

The build stage of the pipeline generates SBOMs using this logic:

docker-tools/eng/common/templates/jobs/build-images.yml

Lines 128 to 176 in 9791b15

# Define the task here to load it into the agent so that we can invoke the tool manually
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
inputs:
BuildDropPath: $(Build.ArtifactStagingDirectory)
displayName: Load Manifest Generator
condition: and(succeeded(), ne(variables['BuildImages.builtImages'], ''))
- powershell: |
$images = "$(BuildImages.builtImages)"
if (-not $images) { return 0 }
# There can be leftover versions of the task left on the agent if it's not fresh. So find the latest version.
$taskDir = $(Get-ChildItem -Recurse -Directory -Filter "ManifestGeneratorTask*" -Path '$(Agent.WorkFolder)')[-1].FullName
$manifestToolDllPath = $(Get-ChildItem -Recurse -File -Filter "Microsoft.ManifestTool.dll" -Path $taskDir).FullName
# Check whether the manifest task installed its own version of .NET.
# To be more robust, we'll handle varying implementations that it's had.
# First check for a dotnet folder in the task location
$dotnetDir = $(Get-ChildItem -Recurse -Directory -Filter "dotnet-*" -Path $taskDir).FullName
if (-not $dotnetDir) {
# If it's not there, check in the agent tools location
$dotnetDir = $(Get-ChildItem -Recurse -Directory -Filter "*dotnet-*" -Path "$(Agent.ToolsDirectory)").FullName
}
# If the manifest task installed its own version of .NET use that; otherwise it's reusing an existing install of .NET
# which is executable by default.
if ($dotnetDir) {
$dotnetPath = "$dotnetDir/dotnet"
}
else {
$dotnetPath = "dotnet"
}
# Call the manifest tool for each image to produce seperate SBOMs
# Manifest tool docs: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/secure-supply-chain/custom-sbom-generation-workflows
$images -Split ',' | ForEach-Object {
echo "Generating SBOM for $_";
$formattedImageName = $_.Replace('$(acr.server)/$(stagingRepoPrefix)', "").Replace('/', '_').Replace(':', '_');
$sbomChildDir = "$(sbomDirectory)/$formattedImageName";
New-Item -Type Directory -Path $sbomChildDir > $null;
& $dotnetPath "$manifestToolDllPath" `
Generate `
-BuildDropPath '$(Build.ArtifactStagingDirectory)' `
-BuildComponentPath '$(Agent.BuildDirectory)' `
-PackageName '.NET' `
-PackageVersion '$(Build.BuildNumber)' `
-ManifestDirPath $sbomChildDir `
-DockerImagesToScan $_ `
-Verbosity Information
}
displayName: Generate SBOMs

The use of the ManifestGeneratorTask is only used as an "installer" in order to acquire the manifest tool that gets executed in the second step. It's done this way because of the need to have a separate SBOM for each image (see #979). So the SBOM generation occurs in the second step. But the logic for signing the SBOMs actually occurs in the first step via the ManifestGeneratorTask. This means we're not getting the benefit of signing because we're not using the task to generate the SBOMs. And that means none of our SBOMs are signed.

I've logged a related issue for the manifest generator to have another tool that can be used for signing: https://github.com/microsoft/dropvalidator/issues/668
@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@mthalman
Copy link
Member Author

mthalman commented Jul 5, 2023

[Triage]
One option that could be explored is to include execution of the ManifestGeneratorTask after the explicit step which generates the SBOMs. That may perhaps detect the SBOMs on disk and get them signed. Not sure on that, but if it that works it's a hacky approach to solving this. Ideally, there would be a process that clearly indicates the intent to have the SBOMs signed.

@mthalman
Copy link
Member Author

This work should be incorporated into the work for signing images: dotnet/dotnet-docker#4589.

@mthalman mthalman mentioned this issue May 29, 2024
Open
@lbussell
Copy link
Contributor

lbussell commented May 29, 2024
edited
Loading

The implementation here that currently uses the ManifestGeneratorTask could potentially be simplified by acquiring the sbom-tool directly: https://github.com/microsoft/sbom-tool?tab=readme-ov-file#download-and-installation

EDIT: Even better, we could potentially include the sbom-tool in the ImageBuilder container and call it from there instead of using Pipeline code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-infrastructure bug
Projects
.NET Docker
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mthalman @lbussell