Skip to content

Commit 355cb50

Browse files
LaurentGoderreLaurentGoderre
committed
Add sbom scanning command
1 parent e22b5e2 commit 355cb50

File tree

3 files changed

+105
-15
lines changed

3 files changed

+105
-15
lines changed

.test/meta-commands/out.sh

+45
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,21 @@ jq '
5353
' temp/index.json > temp/index.json.new
5454
mv temp/index.json.new temp/index.json
5555
# </build>
56+
# <sbom_scan>
57+
docker create --name img oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43@sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401
58+
docker export img > img.tar
59+
mkdir img
60+
mkdir sbom
61+
tar -xf img.tar -C img/
62+
docker run \
63+
-u root \
64+
--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
65+
-v ./sbom:/out \
66+
-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
67+
-e BUILDKIT_SCAN_DESTINATION=/out \
68+
$BASHBREW_BUILDKIT_SBOM_GENERATOR
69+
jq '.subject |= [{"name":"pkg:docker/docker:24.0.7-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24.0-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0.7-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24-cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:cli?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/amd64/docker:24.0.7-cli-alpine3.18?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}},{"name":"pkg:docker/null?platform=linux%2Famd64","digest":{"sha256":"0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401"}}]' sbom/sbom.spdx.json > sbom.json
70+
# </sbom_scan>
5671
# <push>
5772
crane push temp 'oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43'
5873
rm -rf temp
@@ -88,6 +103,21 @@ SOURCE_DATE_EPOCH=1700741054 \
88103
--file 'Dockerfile' \
89104
'https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/windows/windowsservercore-ltsc2022'
90105
# </build>
106+
# <sbom_scan>
107+
docker create --name img oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e@sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce
108+
docker export img > img.tar
109+
mkdir img
110+
mkdir sbom
111+
tar -xf img.tar -C img/
112+
docker run \
113+
-u root \
114+
--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
115+
-v ./sbom:/out \
116+
-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
117+
-e BUILDKIT_SCAN_DESTINATION=/out \
118+
$BASHBREW_BUILDKIT_SBOM_GENERATOR
119+
jq '.subject |= [{"name":"pkg:docker/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0.7-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24.0-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:24-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/docker:windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0.7-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24-windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:windowsservercore-ltsc2022?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0.7-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24.0-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:24-windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/winamd64/docker:windowsservercore?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}},{"name":"pkg:docker/null?platform=windows%2Famd64","digest":{"sha256":"69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce"}}]' sbom/sbom.spdx.json > sbom.json
120+
# </sbom_scan>
91121
# <push>
92122
docker push 'oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e'
93123
# </push>
@@ -174,6 +204,21 @@ done
174204
jq -r --argjson sbomManifestDesc "$sbomManifestDesc" '.manifests += [ $sbomManifestDesc ]' temp/index.json > temp/index.json.new
175205
mv temp/index.json.new temp/index.json
176206
# </build>
207+
# <sbom_scan>
208+
docker create --name img oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f@sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0
209+
docker export img > img.tar
210+
mkdir img
211+
mkdir sbom
212+
tar -xf img.tar -C img/
213+
docker run \
214+
-u root \
215+
--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
216+
-v ./sbom:/out \
217+
-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
218+
-e BUILDKIT_SCAN_DESTINATION=/out \
219+
$BASHBREW_BUILDKIT_SBOM_GENERATOR
220+
jq '.subject |= [{"name":"pkg:docker/busybox:1.36.1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:stable?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:latest?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36.1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1.36-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:stable-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/busybox:glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36.1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:stable?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:latest?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36.1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1.36-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:1-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:stable-glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/amd64/busybox:glibc?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}},{"name":"pkg:docker/null?platform=linux%2Famd64","digest":{"sha256":"4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0"}}]' sbom/sbom.spdx.json > sbom.json
221+
# </sbom_scan>
177222
# <push>
178223
crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'
179224
rm -rf temp

meta.jq

+57
Original file line numberDiff line numberDiff line change
@@ -369,6 +369,62 @@ def build_command:
369369
error("unknown/unimplemented Builder: \($builder)")
370370
end
371371
;
372+
373+
def subjects($digest):
374+
[
375+
($digest | split(":")) as $splitDigest
376+
| (.source.arches[.build.arch].platformString) as $platform
377+
| (
378+
.source.arches[.build.arch].tags[],
379+
.source.arches[.build.arch].archTags[],
380+
.build.img,
381+
.build.img_mock,
382+
empty # trailing comma
383+
)
384+
| {
385+
# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
386+
name: "pkg:docker/\(.)?platform=\($platform | @uri)",
387+
digest: { ($splitDigest[0]): $splitDigest[1] },
388+
}
389+
]
390+
;
391+
392+
# input: "build" object (with "buildId" top level key)
393+
def image_digest:
394+
.build.resolved.manifests[0].digest
395+
;
396+
397+
# input: "build" object (with "buildId" top level key)
398+
def image_ref:
399+
"\(.build.img)@\(image_digest)"
400+
;
401+
402+
# input: "build" object (with "buildId" top level key)
403+
# output: string "command for generating an SBOM from an OCI layout", may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
404+
def sbom_command:
405+
[
406+
"docker create --name img \(image_ref)",
407+
"docker export img > img.tar",
408+
"mkdir img",
409+
"mkdir sbom",
410+
"tar -xf img.tar -C img/",
411+
(
412+
[
413+
"docker run",
414+
"-u root",
415+
"--mount type=bind,source=\"$(pwd)/img\",target=/run/src/core/sbom,readonly",
416+
"-v ./sbom:/out",
417+
"-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom",
418+
"-e BUILDKIT_SCAN_DESTINATION=/out",
419+
"$BASHBREW_BUILDKIT_SBOM_GENERATOR",
420+
empty
421+
] | join(" \\\n\t")
422+
),
423+
"jq '.subject |= \(subjects(image_digest))' sbom/sbom.spdx.json > sbom.json",
424+
empty
425+
] | join("\n")
426+
;
427+
372428
# input: "build" object (with "buildId" top level key)
373429
# output: string "push command" ("docker push ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
374430
def push_command:
@@ -398,6 +454,7 @@ def commands:
398454
{
399455
pull: pull_command,
400456
build: build_command,
457+
sbom_scan: sbom_command,
401458
push: push_command,
402459
}
403460
;

provenance.jq

+3-15
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
include "meta";
2+
13
# input: "build" object with platform and image digest
24
# $github: "github" context; CONTAINS SENSITIVE INFORMATION (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context)
35
# $runner: "runner" context; https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#runner-context
@@ -9,21 +11,7 @@ def github_actions_provenance($github; $runner; $digest):
911
if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
1012
{
1113
_type: "https://in-toto.io/Statement/v1",
12-
subject: [
13-
($digest | split(":")) as $splitDigest
14-
| (.source.arches[.build.arch].platformString) as $platform
15-
| (
16-
.source.arches[.build.arch].tags[],
17-
.source.arches[.build.arch].archTags[],
18-
.build.img,
19-
empty # trailing comma
20-
)
21-
| {
22-
# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
23-
name: "pkg:docker/\(.)?platform=\($platform | @uri)",
24-
digest: { ($splitDigest[0]): $splitDigest[1] },
25-
}
26-
],
14+
subject: subjects($digest),
2715
predicateType: "https://slsa.dev/provenance/v1",
2816
predicate: {
2917
buildDefinition: {

0 commit comments

Comments
 (0)