Skip to content

Commit

Permalink
Add support for writing SBOMs when the build.Result is signed.
Browse files Browse the repository at this point in the history 
This adds (still dormant) functionality that enables the default
publisher to publish SBOMs (and later signatures and attestations)
when the `build.Result` is an `oci.SignedEntity`.

I'm mostly staging this to assess the impact to vendor and start
using CI to catch things for me as I iterate.
  • Loading branch information
@mattmoor
mattmoor committed Nov 19, 2021
1 parent 2fbc908 commit 5c6331e
Show file tree
Hide file tree
Showing 159 changed files with 14,009 additions and 279 deletions.
4 changes: 1 addition & 3 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,18 @@ require (
github.com/containerd/stargz-snapshotter/estargz v0.10.0
github.com/docker/docker v20.10.10+incompatible
github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960
github.com/evanphx/json-patch/v5 v5.5.0 // indirect
github.com/fsnotify/fsnotify v1.5.1
github.com/go-training/helloworld v0.0.0-20200225145412-ba5f4379d78b
github.com/google/go-cmp v0.5.6
github.com/google/go-containerregistry v0.7.0
github.com/mattmoor/dep-notify v0.0.0-20190205035814-a45dec370a17
github.com/mattn/go-isatty v0.0.13 // indirect
github.com/opencontainers/image-spec v1.0.2-0.20210730191737-8e42a01fb1b7
github.com/sigstore/cosign v1.3.2-0.20211119200148-e1acd18203e4
github.com/spf13/cobra v1.2.1
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.9.0
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
golang.org/x/tools v0.1.7
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
k8s.io/apimachinery v0.22.3
Expand Down
1,140 changes: 1,132 additions & 8 deletions go.sum
View file

Large diffs are not rendered by default.

51 changes: 51 additions & 0 deletions pkg/publish/default.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ import (
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/sigstore/cosign/pkg/oci"
ociremote "github.com/sigstore/cosign/pkg/oci/remote"
"github.com/sigstore/cosign/pkg/oci/walk"

"github.com/google/ko/pkg/build"
)

Expand Down Expand Up @@ -120,18 +124,65 @@ func pushResult(tag name.Tag, br build.Result, opt []remote.Option) error {
return err
}

// writePeripherals implements walk.Fn
writePeripherals := func(_ context.Context, se oci.SignedEntity) error {
ociOpts := []ociremote.Option{ociremote.WithRemoteOptions(opt...)}

// Respect COSIGN_REPOSITORY
targetRepoOverride, err := ociremote.GetEnvTargetRepository()
if err != nil {
return err
}
if (targetRepoOverride != name.Repository{}) {
ociOpts = append(ociOpts, ociremote.WithTargetRepository(targetRepoOverride))
}

// TODO(mattmoor): We should have a WriteSBOM helper upstream.
ref, err := ociremote.SBOMTag(tag, ociOpts...)
if err != nil {
return err
}
if f, err := se.Attachment("sbom"); err != nil {
return err
} else if err := remote.Write(ref, f, opt...); err != nil {
return err
}

// TODO(mattmoor): Don't enable this until we start signing or it
// will publish empty signatures!
// if err := ociremote.WriteSignatures(tag.Context(), se, ociOpts...); err != nil {
// return err
// }

// TODO(mattmoor): Are there any attestations we want to write?
// if err := ociremote.WriteAttestations(tag.Context(), se, ociOpts...); err != nil {
// return err
// }
return nil
}

switch mt {
case types.OCIImageIndex, types.DockerManifestList:
idx, ok := br.(v1.ImageIndex)
if !ok {
return fmt.Errorf("failed to interpret result as index: %v", br)
}
if sii, ok := idx.(oci.SignedImageIndex); ok {
if err := walk.SignedEntity(context.Background(), sii, writePeripherals); err != nil {
return err
}
}
return remote.WriteIndex(tag, idx, opt...)
case types.OCIManifestSchema1, types.DockerManifestSchema2:
img, ok := br.(v1.Image)
if !ok {
return fmt.Errorf("failed to interpret result as image: %v", br)
}
if si, ok := img.(oci.SignedImage); ok {
if err := writePeripherals(context.Background(), si); err != nil {
return err
}
}
return remote.Write(tag, img, opt...)
default:
return fmt.Errorf("result image media type: %s", mt)
Expand Down
6 changes: 6 additions & 0 deletions vendor/github.com/go-logr/logr/CHANGELOG.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions vendor/github.com/go-logr/logr/CONTRIBUTING.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 5c6331e

Please sign in to comment.