Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[POC] Provisioner for SBOM #13171

Draft
wants to merge 27 commits into
base: main
Choose a base branch
from
Draft

[POC] Provisioner for SBOM #13171

wants to merge 27 commits into from

Conversation

devashish-patel
Copy link
Contributor

@devashish-patel devashish-patel commented Sep 25, 2024
edited
Loading

Example templates:

JSON:

{
  "builders": [
    {
      "type": "docker",
      "image": "ubuntu:20.04",
      "commit": true
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "inline": [
        "apt-get update -y",
        "apt-get install -y curl",
        "bash -c \"$(curl -sSL https://install.mondoo.com/sh)\""
      ]
    },
    {
      "type": "shell",
      "inline": [
        "cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json"
      ]
    },
    {
      "type": "hcp-sbom",
      "source": "/tmp/sbom_cyclonedx.json"
    }
  ]
}

HCL:

packer {
  required_plugins {
    docker = {
      version = ">= 1.0.0"
      source  = "github.com/hashicorp/docker"
    }
  }
}

source "docker" "ubuntu" {
  image  = "ubuntu:20.04"
  commit = true
}

build {
  sources = ["source.docker.ubuntu"]

  provisioner "shell" {
    inline = [
      "apt-get update -y",
      "apt-get install -y curl",
      "bash -c \"$(curl -sSL https://install.mondoo.com/sh)\""
    ]
  }

  provisioner "shell" {
    inline = [
      //"cnquery sbom --output cyclonedx-json | tee /tmp/sbom_cyclonedx.json",
      "cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json",
      "cnquery sbom --output spdx-json --output-target /tmp/sbom_spdx.json",
    ]
  }

  provisioner "hcp-sbom" {
      source      = "/tmp/sbom_cyclonedx.json"
      destination = "./sbom/sbom_cyclonedx.json"
  }

  provisioner "hcp-sbom" {
    source      = "/tmp/sbom_spdx.json"
    destination = "./sbom/sbom_spdx.json"
  }
}

lbajolet-hashicorp
lbajolet-hashicorp requested changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a bunch of comments on the code, I think we can simplify the download to have it done once only, technically once we've copied the file locally for Packer, we can copy it to the user-specified destination (if specified). That or we can factorise the code for downloading since it's very similar.
I'll let you address those comments and do another pass of review after that.

packer/provisioner.go Outdated Show resolved Hide resolved
packer/provisioner.go Outdated Show resolved Hide resolved
packer/provisioner.go Outdated Show resolved Hide resolved
packer/provisioner.go Outdated Show resolved Hide resolved
packer/provisioner.go Outdated Show resolved Hide resolved
packer/build.go Outdated Show resolved Hide resolved
provisioner/hcp_sbom/provisioner.go Outdated Show resolved Hide resolved
provisioner/hcp_sbom/provisioner.go Outdated Show resolved Hide resolved
provisioner/hcp_sbom/provisioner.go Outdated Show resolved Hide resolved
provisioner/hcp_sbom/provisioner.go Outdated Show resolved Hide resolved
lbajolet-hashicorp
lbajolet-hashicorp reviewed Oct 17, 2024
View reviewed changes
provisioner/hcp_sbom/validate.go Outdated Show resolved Hide resolved
provisioner/hcp_sbom/validate.go Outdated Show resolved Hide resolved
provisioner/hcp_sbom/provisioner.go Outdated Show resolved Hide resolved
packer/provisioner.go Outdated Show resolved Hide resolved
devashish-patel and others added 20 commits October 25, 2024 11:19
@devashish-patel @lbajolet-hashicorp
Add outer provisioner to download, validate and compress SBOM
10a107c
@devashish-patel @lbajolet-hashicorp
Add and set up internal SBOM provisioner
e359898
@devashish-patel @lbajolet-hashicorp
Modify external provisioner
8ab261e
@devashish-patel @lbajolet-hashicorp
Fix lint
df8f3cf
@devashish-patel @lbajolet-hashicorp
Fix tests
54a0f9a
@devashish-patel @lbajolet-hashicorp
Add PR suggestions
d17d0a7
@devashish-patel @lbajolet-hashicorp
Remove unnecessary test
ed7a0d5
@devashish-patel @lbajolet-hashicorp
Run generate
66daeb7
@devashish-patel @lbajolet-hashicorp
DRY download SBOM functions
b38d844
@devashish-patel @lbajolet-hashicorp
Add support for SPDX
2b3c440
@devashish-patel @lbajolet-hashicorp
Fix linting
4139f75
@devashish-patel @lbajolet-hashicorp
Optimize code
4cf3811
@devashish-patel @lbajolet-hashicorp
Rename hcp_sbom to hcp-sbom
768b9a0
@devashish-patel @lbajolet-hashicorp
Typed error check in validation
890b476
@devashish-patel @lbajolet-hashicorp
Use single buffer
fb3d15c
@devashish-patel @lbajolet-hashicorp
Lint
03a7142
@lbajolet-hashicorp
packer_test: add file checker
d35cafe 
Some tests will create files and directories as part of the execution
path for Packer, and we need a way to check this, so this commit adds a
new file gadget to do those checks after a command executes.
@lbajolet-hashicorp
simplify error typing for SBOM validation
8a996bb
@lbajolet-hashicorp
fixme: add path/home to commands for docker to run, should be general…
4e8affb 
…ised
@lbajolet-hashicorp
packer_test: add intergation tests for hcp-sbom
127d625
lbajolet-hashicorp
lbajolet-hashicorp reviewed Nov 1, 2024
View reviewed changes
website/content/docs/provisioners/hcp-sbom.mdx Outdated Show resolved Hide resolved
website/content/docs/provisioners/hcp-sbom.mdx Outdated Show resolved Hide resolved
website/content/docs/provisioners/hcp-sbom.mdx Outdated Show resolved Hide resolved
website/content/docs/provisioners/hcp-sbom.mdx Outdated Show resolved Hide resolved
website/content/docs/provisioners/hcp-sbom.mdx Outdated Show resolved Hide resolved
website/content/docs/provisioners/hcp-sbom.mdx Outdated Show resolved Hide resolved
devashish-patel
devashish-patel commented Nov 4, 2024
View reviewed changes
website/content/docs/provisioners/hcp-sbom.mdx
`destination` option in the provisioner.

Currently, we support `CycloneDX` and `SPDX` SBOM formats in `JSON`.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBA: Add more details about max number of files allowed to download, and if we are going to add the file name field!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbajolet-hashicorp lbajolet-hashicorp Awaiting requested review from lbajolet-hashicorp

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@devashish-patel @lbajolet-hashicorp