From f2019657a7afd975f82495fc51cd9f47d28f8b2c Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Tue, 15 Oct 2024 15:41:41 +0100 Subject: [PATCH 1/9] Add initial public SBOM fetching instructions --- docs/cli/how-tos/fetch_sboms.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/cli/how-tos/fetch_sboms.md diff --git a/docs/cli/how-tos/fetch_sboms.md b/docs/cli/how-tos/fetch_sboms.md new file mode 100644 index 000000000..ff8483f43 --- /dev/null +++ b/docs/cli/how-tos/fetch_sboms.md @@ -0,0 +1,17 @@ +# How to Fetch SBOMs for Sourcegraph + +Sourcegraph publishes Software Bill of Materials (SBOM) for all of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images. + +To retrieve the SBOMs for a specific release, you can use the `src` command line interface for Sourcegraph: + +1. Install `src` by following the [Quickstart](../quickstart.md). +2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). +3. Identify your Sourcegraph instance's version - you can do this by checking your deployment, or visiting the Settings page on your Sourcegraph instance at and checking the version shown in the bottom left corner. +4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. +```bash +# Fetch SBOMs for Sourcegraph release 5.8.123 +$ src sbom fetch -v 5.8.123 +``` +5. Once completed, you can find the set of validated SBOMs under `sourcegraph-sboms/sourcegraph-/`. + +**Note:** `src sbom fetch` will retrieve SBOMs for **all** containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment. From 6c708196cc4ff47657e74fd03b8185c50eda2382 Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Tue, 15 Oct 2024 15:50:37 +0100 Subject: [PATCH 2/9] mdx --- docs/cli/how-tos/{fetch_sboms.md => fetch_sboms.mdx} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/cli/how-tos/{fetch_sboms.md => fetch_sboms.mdx} (95%) diff --git a/docs/cli/how-tos/fetch_sboms.md b/docs/cli/how-tos/fetch_sboms.mdx similarity index 95% rename from docs/cli/how-tos/fetch_sboms.md rename to docs/cli/how-tos/fetch_sboms.mdx index ff8483f43..43a604e1b 100644 --- a/docs/cli/how-tos/fetch_sboms.md +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -4,7 +4,7 @@ Sourcegraph publishes Software Bill of Materials (SBOM) for all of its container To retrieve the SBOMs for a specific release, you can use the `src` command line interface for Sourcegraph: -1. Install `src` by following the [Quickstart](../quickstart.md). +1. Install `src` by following the [Quickstart](../quickstart.mdx). 2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). 3. Identify your Sourcegraph instance's version - you can do this by checking your deployment, or visiting the Settings page on your Sourcegraph instance at and checking the version shown in the bottom left corner. 4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. From 6392acd67540a96f7a9a4053fd1bebf5f05fa809 Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Wed, 16 Oct 2024 17:00:08 +0100 Subject: [PATCH 3/9] Update with suggestions --- docs/cli/how-tos/fetch_sboms.mdx | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index 43a604e1b..c9d638ffa 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -6,12 +6,28 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 1. Install `src` by following the [Quickstart](../quickstart.mdx). 2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). -3. Identify your Sourcegraph instance's version - you can do this by checking your deployment, or visiting the Settings page on your Sourcegraph instance at and checking the version shown in the bottom left corner. +3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version. + 1. SBOMs are only available for Sourcegraph release 5.8.[TODO] and later. + 2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner. + ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version.png) 4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. -```bash -# Fetch SBOMs for Sourcegraph release 5.8.123 -$ src sbom fetch -v 5.8.123 -``` + ``` + # Fetch SBOMs for Sourcegraph release 5.8.123 + $ src sbom fetch -v 5.8.123 + + Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.123 release... + + ✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/appliance + ✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/batcheshelper + ✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/bundled-executor + [...] + + 🟢 Fetched verified SBOMs for 55 images + + Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.123`. + + Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used. + ``` 5. Once completed, you can find the set of validated SBOMs under `sourcegraph-sboms/sourcegraph-/`. **Note:** `src sbom fetch` will retrieve SBOMs for **all** containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment. From ae8d3acb82f25128a76cbd77b43b58ad3d85c2f1 Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Wed, 16 Oct 2024 17:02:36 +0100 Subject: [PATCH 4/9] Tweak --- docs/cli/how-tos/fetch_sboms.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index c9d638ffa..5eba3e843 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -17,9 +17,10 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.123 release... - ✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/appliance - ✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/batcheshelper - ✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/bundled-executor + ✅ sourcegraph/appliance + ✅ sourcegraph/batcheshelper + ✅ sourcegraph/bundled-executor + [...] 🟢 Fetched verified SBOMs for 55 images From 9ff38282ff3c9c8af6ebdc3d544263c57a2fd543 Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Wed, 16 Oct 2024 17:06:01 +0100 Subject: [PATCH 5/9] Scaled image --- docs/cli/how-tos/fetch_sboms.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index 5eba3e843..89b83a3f5 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -9,7 +9,7 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version. 1. SBOMs are only available for Sourcegraph release 5.8.[TODO] and later. 2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner. - ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version.png) + ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png) 4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. ``` # Fetch SBOMs for Sourcegraph release 5.8.123 From b3f160c1cf9c1bbf6c660a767a0236d469316dd6 Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Wed, 16 Oct 2024 17:45:06 +0100 Subject: [PATCH 6/9] Update with version --- docs/cli/how-tos/fetch_sboms.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index 89b83a3f5..d3f6034f2 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -7,15 +7,15 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 1. Install `src` by following the [Quickstart](../quickstart.mdx). 2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). 3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version. - 1. SBOMs are only available for Sourcegraph release 5.8.[TODO] and later. + 1. SBOMs are only available for Sourcegraph release 5.8.1569 and later. 2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner. ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png) 4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. ``` - # Fetch SBOMs for Sourcegraph release 5.8.123 - $ src sbom fetch -v 5.8.123 + # Fetch SBOMs for Sourcegraph release 5.8.1569 + $ src sbom fetch -v 5.8.1569 - Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.123 release... + Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.1569 release... ✅ sourcegraph/appliance ✅ sourcegraph/batcheshelper @@ -25,7 +25,7 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 🟢 Fetched verified SBOMs for 55 images - Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.123`. + Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.1569`. Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used. ``` From 5e46baa7a1ac86140a3d93fc875c7dff13fcae9f Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Wed, 16 Oct 2024 22:08:07 +0100 Subject: [PATCH 7/9] Bump release --- docs/cli/how-tos/fetch_sboms.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index d3f6034f2..045e9e5f2 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -7,15 +7,15 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 1. Install `src` by following the [Quickstart](../quickstart.mdx). 2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). 3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version. - 1. SBOMs are only available for Sourcegraph release 5.8.1569 and later. + 1. SBOMs are only available for Sourcegraph release 5.8.1579 and later. 2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner. ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png) 4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. ``` - # Fetch SBOMs for Sourcegraph release 5.8.1569 - $ src sbom fetch -v 5.8.1569 + # Fetch SBOMs for Sourcegraph release 5.8.1579 + $ src sbom fetch -v 5.8.1579 - Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.1569 release... + Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.1579 release... ✅ sourcegraph/appliance ✅ sourcegraph/batcheshelper @@ -25,7 +25,7 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 🟢 Fetched verified SBOMs for 55 images - Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.1569`. + Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.1579`. Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used. ``` From e83da887be5cac97152b12e4673f018c23366a9d Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Tue, 5 Nov 2024 09:57:51 +0000 Subject: [PATCH 8/9] Update for version 5.9.0 --- docs/cli/how-tos/fetch_sboms.mdx | 10 +++++----- docs/cli/how-tos/index.mdx | 2 ++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index 045e9e5f2..eb83a313b 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -7,15 +7,15 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 1. Install `src` by following the [Quickstart](../quickstart.mdx). 2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). 3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version. - 1. SBOMs are only available for Sourcegraph release 5.8.1579 and later. + 1. SBOMs are only available for Sourcegraph release 5.9.0 and later. 2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner. ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png) 4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. ``` - # Fetch SBOMs for Sourcegraph release 5.8.1579 - $ src sbom fetch -v 5.8.1579 + # Fetch SBOMs for Sourcegraph release 5.9.0 + $ src sbom fetch -v 5.9.0 - Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.1579 release... + Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.9.0 release... ✅ sourcegraph/appliance ✅ sourcegraph/batcheshelper @@ -25,7 +25,7 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line 🟢 Fetched verified SBOMs for 55 images - Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.1579`. + Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`. Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used. ``` diff --git a/docs/cli/how-tos/index.mdx b/docs/cli/how-tos/index.mdx index 65b358bf2..f64ea48ff 100644 --- a/docs/cli/how-tos/index.mdx +++ b/docs/cli/how-tos/index.mdx @@ -5,3 +5,5 @@ The following how-tos apply to the `src` command line interface to Sourcegraph: - [Creating an access token](/cli/how-tos/creating_an_access_token) - [Revoking an access token](/cli/how-tos/revoking_an_access_token) - [Managing access tokens](/cli/how-tos/managing_access_tokens) +- [Fetch SBOMs](/cli/how-tos/fetch_sboms) + From 58bf507c6f8e0c638bbefca1998bbdde54cb404f Mon Sep 17 00:00:00 2001 From: Will Dollman Date: Tue, 5 Nov 2024 10:15:35 +0000 Subject: [PATCH 9/9] Tweaks --- docs/cli/how-tos/fetch_sboms.mdx | 8 ++++---- docs/cli/how-tos/index.mdx | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx index eb83a313b..d84819b2c 100644 --- a/docs/cli/how-tos/fetch_sboms.mdx +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -1,6 +1,6 @@ -# How to Fetch SBOMs for Sourcegraph +# How to fetch SBOMs for Sourcegraph -Sourcegraph publishes Software Bill of Materials (SBOM) for all of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images. +Sourcegraph publishes a Software Bill of Materials (SBOM) for each of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images. To retrieve the SBOMs for a specific release, you can use the `src` command line interface for Sourcegraph: @@ -15,7 +15,7 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line # Fetch SBOMs for Sourcegraph release 5.9.0 $ src sbom fetch -v 5.9.0 - Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.9.0 release... + Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.9.0 release... ✅ sourcegraph/appliance ✅ sourcegraph/batcheshelper @@ -23,7 +23,7 @@ To retrieve the SBOMs for a specific release, you can use the `src` command line [...] - 🟢 Fetched verified SBOMs for 55 images + 🟢 Fetched verified SBOMs for 39 images Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`. diff --git a/docs/cli/how-tos/index.mdx b/docs/cli/how-tos/index.mdx index f64ea48ff..6c2a84d8e 100644 --- a/docs/cli/how-tos/index.mdx +++ b/docs/cli/how-tos/index.mdx @@ -5,5 +5,5 @@ The following how-tos apply to the `src` command line interface to Sourcegraph: - [Creating an access token](/cli/how-tos/creating_an_access_token) - [Revoking an access token](/cli/how-tos/revoking_an_access_token) - [Managing access tokens](/cli/how-tos/managing_access_tokens) -- [Fetch SBOMs](/cli/how-tos/fetch_sboms) +- [How to fetch SBOMs for Sourcegraph](/cli/how-tos/fetch_sboms)