Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate image SBOMs #539

Open
p5 opened this issue Mar 31, 2024 · 7 comments
Open

Generate image SBOMs #539

p5 opened this issue Mar 31, 2024 · 7 comments
Assignees
@p5
Labels
enhancement New feature or request

Comments

@p5
Copy link
Member

p5 commented Mar 31, 2024

Due to the recent xz incident, it would be good if we frequently generate SBOMs for our images.

Consider using Syft, and possibly later integrating with Grype for vuln scanning.

I'm investigating this now.
@p5 p5 self-assigned this Mar 31, 2024
@p5
Copy link
Member Author

p5 commented Mar 31, 2024

The SBOMs are very large - upwards of 45MB!
They can fairly easily be uploaded to job artefacts, but it's not trivial parsing them.

@p5
Copy link
Member Author

p5 commented Apr 1, 2024
edited
Loading

This needs a bit more investigation. SBOMs can take over 30 minutes to be generated, so need to make this async.
Thinking about triggering the workflow whenever a new image is published to GHCR and pushing the SBOM to R2. I want to avoid some unmaintainable matrix hacks, so the workflow would only generate (and later scan) a single image, rather than all of them.

@castrojo
Copy link
Member

castrojo commented May 3, 2024

Lots of new info just dropped: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

@dosubot dosubot bot added the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Aug 2, 2024
@dosubot dosubot bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 9, 2024
@dosubot dosubot bot removed the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Aug 9, 2024
@scottames
Copy link

Out of curiosity, do you all not plan on tackling SBOMs at all?

I started looking into this for my custom image (on top of professional efforts). It would be awesome to see this from the upstream ublue images as well.

@castrojo
Copy link
Member

castrojo commented Aug 9, 2024

We very much wanna do this as a project, we're just time/resource limited.

We were generating a set for Bluefin but they took resources to build and ended up being flakey and causing red, though we kept the actions around.

I did notice improvements in the github UI but haven't investigated yet. I wonder if it's clickety-click to setup?

@p5 p5 reopened this Aug 9, 2024
@castrojo castrojo added the enhancement New feature or request label Aug 9, 2024
@scottames
Copy link

We very much wanna do this as a project, we're just time/resource limited.

We were generating a set for Bluefin but they took resources to build and ended up being flakey and causing red, though we kept the actions around.

I did notice improvements in the github UI but haven't investigated yet. I wonder if it's clickety-click to setup?

Good to know. I'll have a look at what you did over there.

Good question about the workflow, I'm not sure. If I go down the rabbit hole and have anything to share back before you guys do I'll be sure to do so.

@castrojo
Copy link
Member

castrojo commented Aug 9, 2024

https://github.com/ublue-os/bluefin/blob/main/.github/workflows/reusable-image-scan.yml for reference!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@p5 p5

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@castrojo @scottames @p5