Produce SBOM during zarf package creation #22
Comments
|
Just a heads up since I can't assign myself here: I'm currently working this issue |
|
https://github.com/spdx/tools-golang Leaving this here for further reference as a potentially useful lib |
|
Thanks @mikhailswift I’ve been eyeing that too as @runyontr suggested it might be good to have spdx be a consumer target at some point for package creation. Thanks! |
|
Still a WIP, but wanted to give a quick update. Currently have SBOM generation working for images during package creation. I left some more details in the commit message Edit: And attaching an example of one of the SBOMs generated for the tiny-kafka example: https://gist.github.com/mikhailswift/3dd402abc5afecba27cb3cf7f92d1d52 Its uhh... pretty long lol |
|
Thanks @mikhailswift this is very exciting! I had played with syft a little last month because I really like the feedback they provide on image pull, have you stumbled across that code at all yet in your exploration? #3 has been sitting out for a while needing some love and I had planned to checkout how syft was going it later on. |
|
I ran into a bit of their progress updating, yes. They’re using go-partybus (heh, familiar name) as an event bus to provide progress updates to any subscribers. Both syft and stethoscope allow you to pass in your own instance of go-partybus to subscribe to their events. I tapped into this a bit to get updates during the cataloging process and to make sure syft was reading the image layers from the tar ball and not reaching out to the registry and pulling layers again. We should be able to use similar tactics to provide better feedback during zarfs processes. I can take a look at it tomorrow. It also feels a bit bad to be pulling images, tarring them up, only to subsequently iterate over the tar a second time. I played a little bit with trying to catalog image as we pulled them before tarring them but would have to revisit that. |
|
yeah agreed double tar is a little gross. I'm not beholden to tar vs say OCI for transporting either, just was a simple/clean way initially with K3s. I may explore that later on too, look forward to what you find out around image pulling. |
Signed-off-by: Jeff McCoy <code@jeffm.us>
|
@jeff-mccoy just wanted to confirm that this issue can be closed based on this commit? Never mind, this was an old commit when the repo was on GitLab and references the GitLab issue 22,. This got re-pinged when we did the master push and I thought it was coming with the resent PR merge. Disregard. |
|
Met with @mikhailswift on Monday to talk through this and he's actively working this again, going to touch base in a couple weeks, but he'll update the issue as it's being worked. |
|
any update on this work @mikhailswift |
|
Sorry just catching up on notifications this morning So far it's going well. I'll have get the code cleaned up and will the commits here to show what I'm doing. Currently working on making sure SBOMs are being generated for images at the most opportune time in Zarf's code. |
|
Copy thanks! |
|
Apologies for the delay on this -- got the SBOM creation code cleaned up and a PR up. Working on functionality to display the SBOMs to users now. |
|
@jeff-mccoy https://github.com/tern-tools/tern I also highly recommend https://github.com/awesomeSBOM/awesome-sbom |
|
Thanks @anoncam, python is a deal-breaker as we need statically-linked cross-compiled binaries only, will keep tabs on the second link. |
|
We're currently working SBOM generation directly in witness w/o Zarf to remove the massive dependencies that syft brings |
|
We'll need more details on that too. Syft has several teams adopting it and I want to make sure that we know what we are brining in and when we are choosing more commons tools vs not. |
|
@jeff-mccoy I think another item needs to be captured, which is standardizing across the industry to better support interoperability with various components. SLSA seems like a good starting point to dive a little more meaningfully into this process |
Signed-off-by: Jeff McCoy <code@jeffm.us>
Evaluate tools / options to produce a standard consumable SBOM and a user-friendly display / ability to navigate it when deploying a zarf package. Doing so will meet software supply chain requirements for government and industry as well as provide a higher level of transparency/confidence to what is transported with Zarf.
Related:
https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
https://cyclonedx.org/
https://spdx.dev/
https://github.com/anchore/syft
Migrated from https://repo1.dso.mil/platform-one/big-bang/apps/product-tools/zarf/-/issues/35
The text was updated successfully, but these errors were encountered: