Feature: Pinned-Dependencies digest hashes don't make sense for multi-platform docker images

[calebdoxsey]

Is your feature request related to a problem? Please describe.
Dockerfiles allow you to pin the FROM using a digest hash:

FROM golang@sha256:3c4de86eec9cbc619cdd72424abd88326ffcf5d813a8338a7743c55e5898734f AS base

This digest is however platform specific:

Therefore any project which wants to release or use multi-platform docker images can't use the digest in the FROM and they're going to get dinged by scorecard.

With the release of M1 macs and ARM cloud servers this is becoming an increasingly common problem.

Describe the solution you'd like
Is there another way of pinning the digest that could solve this problem for multi-platform images? Perhaps we can update https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies to note that?

Describe alternatives you've considered
I guess just living with the lower score.

[laurentsimon]

Thanks for the issue!

Can you use variables to do that? We accept FROM image@sha256:${SHA} and use docker build . --build-arg SHA=<hash>?

That brings up a second question: how do you store the hashes in a place that dependabot/renovatebot will understand and update?

There's also a template engine, but I've not looked into it much yet.

Let's add this back to the doc once we've figured out the right solution

[laurentsimon]

cc @loosebazooka @lumjjb any thoughts?

[loosebazooka]

I don't see why multiplatform images can't be referenced by the hash of the manifest list?

[loosebazooka]

for example to obtain the manifest list digest

$ crane digest golang
sha256:fb5993c8c22ae9fec57f91a3e59825f9368d01b1d15a984d83080cac575f79b8

and we can see the contents are indeed a manifest list

$ crane manifest golang@sha256:fb5993c8c22ae9fec57f91a3e59825f9368d01b1d15a984d83080cac575f79b8 | jq
{
  "manifests": [
    {
      "digest": "sha256:996ee073842215953635bcc11b2cda8775b543dbe4a903a6792ad7dd4dcd0017",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:2163a6f970e1e150c289b4a3a3f453e2799f0eeab8519da0c178c8962a185371",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v5"
      },
      "size": 1796
    },
    {
      "digest": "sha256:0c1e67274cc64cefe34feb577939f4027d3dc531c020f991d1b8481a7a5ed915",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v7"
      },
      "size": 1796
    },
    {
      "digest": "sha256:9b8a5ea3de2895a1f34beb6f121b658c67ad87b4cc7dc957608331271a20bf8a",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm64",
        "os": "linux",
        "variant": "v8"
      },
      "size": 1796
    },
    {
      "digest": "sha256:393fde56e4f7799fe3fc71b68be2e2a873d3b993a3873215c46b71f68cd6238e",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "386",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:2b13596cafce30e906762c02aa8db1fd5ed7b5120491521a7d0302f0cb36e10e",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "mips64le",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:3b7a7f6da7598a7c6c48f912b321678cbe9a8a5d4898644636788b2454769aa9",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "ppc64le",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:2702929a87bf96e294a34ee64437abf5ba816c5fd2a0ef8247acf6764c211279",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "s390x",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:97c37195f3549f498f4c8c0b4a6ccb233bbe9f127fd7ad60fc6e3b4b12042ce5",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "windows",
        "os.version": "10.0.20348.587"
      },
      "size": 3401
    },
    {
      "digest": "sha256:64215ac6ca699e7fa7e2371c6685c8a0b960ba856f2c0fecc77efdc4217dc751",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "windows",
        "os.version": "10.0.17763.2686"
      },
      "size": 3401
    }
  ],
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
  "schemaVersion": 2
}

[calebdoxsey]

@loosebazooka this does seem to work. It builds fine on my m1 mac. Thanks!

[loosebazooka]

I don't know if depandabot/renovate bot actually know how to keep these up to date though, be curious to see what happens

[lumjjb]

Yea that should be fine since OCI objects are all hash referenced and verified. The person usually uploading the manifest would need the same permissions as whoever is uploading the manifest so shouldn't be an issue there - unless this changes in the future.

[laurentsimon]

Maybe I'm misunderstanding the original question: but was the question around dockerfiles rather than the resulting manifest?

[calebdoxsey]

@laurentsimon Yes in the original question I was unsure how best to pin dependencies when using multi-platform images since I thought the digest hash was platform-specific.

But as it turns out theres a digest hash which is not platform-specific, and using that works just fine for docker build. We could probably close this issue unless it'd be worthwhile adding a note to the docs.

[laurentsimon]

ah, I see. So there's a digest that contains all the other images. I'd like to add this to the documentation of our check for the remediation part. Mind drafting a sentence or 2 that we could add in our doc for other users to benefit from? You can send a PR or just paste it here if you prefer.

[loosebazooka]

can you link to the docs?

[laurentsimon]

this is the file to update https://github.com/ossf/scorecard/blob/main/docs/checks/internal/checks.yaml
then run make generate-docs to re-generate the https://github.com/ossf/scorecard/blob/main/docs/checks.md

[laurentsimon]

@loosebazooka still interested in tweaking the doc?

[loosebazooka]

I forgot about this. I'll take a look tomorrow if no one else is interested.