Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CycloneDX SBOM support #61

Merged
merged 23 commits into from
Mar 9, 2022
Merged

CycloneDX SBOM support #61

merged 23 commits into from
Mar 9, 2022

Conversation

kaniini
Copy link
Contributor

@kaniini kaniini commented Mar 4, 2022

Add support for CycloneDX SBOM by inspecting the APK database. APKv2 is only supported for now.

Closes: #14.

@mattmoor mattmoor requested a review from puerco March 5, 2022 00:05
pkg/build/sbom.go Outdated Show resolved Hide resolved
return fmt.Sprintf("pkg:apk/%s/%s@%s", ns, pkg.Name, pkg.Version)
}

func (bc *Context) GenerateSBOM() error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case it is useful, @imjasonh rolled the ko CycloneDX stuff here if you want to compare or copy useful bits: https://github.com/google/ko/pull/587/files#diff-ad63c642b90be2eed057117c368556d45c8c89a4c7310c948b80166fed73667aR41

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whether or not you roll your own, I think it was a good idea to have e2e validation of the SBOMs in CI: https://github.com/google/ko/blob/main/.github/workflows/sbom.yaml

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also: how do folks feel about generating both/all formats by default? That's something I'd like to do for ko, and apko being onboard would help motivate me. Seems weird to prefer one over the other(s)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be alright with generating the JSON-LD version of SPDX, but not the Turtle version presently generated by ko.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I also think that shouldn't block this MR)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely, we should do both. I was holding on commenting on this one to talk on Monday (@kaniini happy to chat on the weekend too if you want). I think we need to align some things to work together, buts lets chat first!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can wait until Monday, I have some reasons for being opinionated here on SBOMs that I can outline outside this MR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After a discussion with @puerco, the plan is for him to take over this branch and add in the SPDX support and so on :)

pkg/build/sbom.go Outdated Show resolved Hide resolved
@puerco puerco force-pushed the feature/sbom branch 2 times, most recently from c08e720 to 81a06b6 Compare March 9, 2022 03:47
kaniini and others added 14 commits March 8, 2022 21:54
the repository package from alpine already does it, but closing it twice
seems harmless
In order to create an sbom interface the cyclone DX
types are now out in their own package.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Add the SBOM object and its initial empty implementation

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commits modifies the SBOM object to make it capable of
reading /etc/os-release files.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit refactors the package reading code into a method in the sbom object

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Copy link
Contributor

puerco commented Mar 9, 2022

OK, I've reworked the sbom code to its own package. It now supports pluggable sbom generators which can be turned on and off from the options. The cyclonedx code is the first one of these 🥳

I also added tests for most of the functions but I still have to ensure the output looks as expected, also I have to actually test it but the main idea should be ready for review :)

Lets sync tomorrow to talk about some next steps here (like, where should the SBOM go? matching the cyclonedx and spdx structure, etc).

puerco added 5 commits March 8, 2022 23:48
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Options are now on its own package to share with generators

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
puerco and others added 4 commits March 8, 2022 23:48
The SBOM object now outputs snoms using a generate function
that uses its generators to output in the specified formats

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
The build context will now generate the sboms using the new sbom package

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@kaniini kaniini merged commit 6bd5370 into main Mar 9, 2022
@kaniini
Copy link
Contributor Author

kaniini commented Mar 9, 2022

I went ahead and merged this, we can talk more about it later today for the SPDX support :)

@kaniini kaniini deleted the feature/sbom branch March 21, 2022 03:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SBOM support
5 participants