-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM file generation. #312
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
I like how the signing of the artifacts happens in the same job as the build, and the release job just consumes the signed artifacts already.
I wonder though, if we could keep the release job in the .github/workflows/release.yml
workflow file. I feel it's clearer to set everything in one file with:
on:
push:
tags:
- 'v*'
and not use if: github.ref_type == 'tag'
.
I wonder also if by having it in a different workflow, it's more easy to find the release job in the github pop-ups of commits and so.
cdfb145
to
ed2044a
Compare
@viccuad , in order to have a more complete SBOM file, the tool needs access to the files generated by the build. Thus, the |
5172ba1
to
31d194b
Compare
As far as I could understand reading the spdx specification the file contains anything used to build the binary. Therefore, you can see all the files include in a package, the relationship between packages, checksum of everything, license and etc. |
Thanks @jvanz, I was able to run the command locally. I've looked at the For example, take a look at this snippet about the {
"fileName": "./deps/addr2line-28aec851f2e54f6a.d",
"SPDXID": "SPDXRef-File--deps-addr2line-28aec851f2e54f6a.d-19D14F2B41953D84DFBB935FED640F81D0809DFA",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "4512d8e3dd2ea20f9b30e414254f9f04dcd8991d764b6f1a6d6b47abab74e6d2"
},
{
"algorithm": "SHA1",
"checksumValue": "19d14f2b41953d84dfbb935fed640f81d0809dfa"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}, This snippet doesn't tell me where the dependency is coming (crates.io release, a github repository,...) and it doesn't tell me the version being used. I can see what I assume is a git commit shasum inside of the folder name This isn't what I expected to find inside of a SPDX report. I did some quick search, and I ran opensbom-generator/spdx-sbom-generator in this way: $ spdx-sbom-generator This produced a
This looks more "human-friendly". Now, I'm not suggesting we have to move to this other tool. I just wonder if we are not invoking the Microsoft one with the right set of parameters. |
@flavio here, the |
6b2a01e
to
2a6b2c7
Compare
fe20024
to
9b57432
Compare
@viccuad @flavio , I've updated the PR to use the spdx-sbom-generator tool and generate the right packages dependencies. Furthermore, I've also open an issue in the |
e5b7338
to
ff230f9
Compare
env: | ||
COSIGN_EXPERIMENTAL: 1 | ||
|
||
- name: Upload policy-server binary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could sign the binary and upload the binary and its signature to the interim artifacts.
The signatures could be checked when building the container image. I suppose this may be needed for SLSA.
Not much improvement for our current security stance, as we depend on GHA and artifacts anyway. But in the future we could build in our own worker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think this would be a nice improvement. However I would not block this PR to get this implemented, I would rather file a new issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's sound a good idea indeed. I've just created an issue to keep track of this improvement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving, I'm happy to merge as it is.
We could add SBOM for both build image and resulting container image in following PRs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I left some minor comments that are not mandatory to get this PR merged
env: | ||
COSIGN_EXPERIMENTAL: 1 | ||
|
||
- name: Upload policy-server binary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think this would be a nice improvement. However I would not block this PR to get this implemented, I would rather file a new issue
Adds new steps in the build and release workflow to generate, sign and publish a SBOM file for Policy Server.
Adds new steps in the build and release workflow to generate, sign and publish a SBOM file for Policy Server.
Fix #305