Create and publish Software Bill of Materials (SBOMs) for our operators, products and docker images

[lfrancke]

SBOM for our Operators

We want to produce SBOMs for all our operators and the operator images.

Tasks

Beta Give feedback

1. Add a bom.xml to all our operators #369
   +0
   
2. Introduce cargo-cyclonedx in build process
3. Fix issues in cyclonedx-rust-cargo so it creates valid SBOMs #411
   3 of 3
   +0
   
4. Use syft to create SBOMs of Docker images and upload to Harbor #398
   changelog/highlight release/2024-03 +2
   
5. https://github.com/stackabletech/internal-issues/issues/46

SBOM for our products

See https://cwiki.apache.org/confluence/display/COMDEV/SBOM for a list of Apache products that already support SBOMs. Thanks to @dongjoon-hyun who worked on most of these!

Tasks

Beta Give feedback

1. Use syft to create SBOMs of product images and publish them in Harbor #512
   16 of 16
   release/2024-03 +1
   
2. https://github.com/stackabletech/internal-issues/issues/46

Unfortunately, we will not be able to use them all so we might have to create our own SBOMs.

Generating the SBOMs is only the first step though. We should mirror them somewhere and publish them as well to merge them with our Docker images and any custom additions.

[nightkr]

This sounds great, but I have a sneaking suspicion that this kind of automatic processing would be quite complicated, especially for our products, where we just use their release artifacts rather than integrating with their build systems.

I'd absolutely like to see this at some point, but it feels like it's a big and important enough issue that we need some kind of stopgap until then. I'd propose:

1. Add a comment or metadata file to each NXRM package folder with a URL to the upstream
2. (If NXRM supports it) set up pull-through mirroring, so that we automatically download artifacts from a fixed upstream URL pattern the first time they are requested

[lfrancke]

A few links I came across:

• https://thenewstack.io/how-to-improve-docker-security-with-docker-sbom-and-syft/
• https://kubernetes-sigs.github.io/bom/tutorials/creating_bill_of_materials/
• https://www.heise.de/news/Open-Source-Tool-von-Microsoft-erstellt-Software-Bill-of-Materials-7177889.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag
• https://github.com/microsoft/sbom-tool
• Tangentially related: https://github.blog/2022-10-25-why-were-excited-about-the-sigstore-general-availability/
• Maybe related: https://github.com/guacsec/guac (via https://www.heise.de/news/Open-Source-Googles-GUAC-soll-Ordnung-ins-Security-Metadaten-Chaos-bringen-7320125.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag)
• https://github.com/CycloneDX/cyclonedx-bom-repo-server
• Idea for SBOM storage: https://oras.land/

[lfrancke]

This is a good summary of tools used to generate SBOMs: https://cloudsmith.com/blog/how-to-generate-and-host-an-sbom/

[fhennig]

Once we have the SBOMs I suggest we work on this: https://github.com/stackabletech/internal-issues/issues/46