Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to specify a custom SBOM generator #97

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add ability to specify a custom SBOM generator #97

wants to merge 1 commit into from
+13 −9

Conversation

LaurentGoderre
Copy link
Member

No description provided.

whalelines
whalelines reviewed Jun 6, 2024
View reviewed changes
Copy link

@whalelines whalelines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test?

@LaurentGoderre
Copy link
Member Author

@whalelines yep. I have to figure out how to test this.

@yosifkit
Copy link
Member

yosifkit commented Jun 6, 2024

bashbrew/cmd/bashbrew/docker.go

Lines 299 to 300 in 10343d3

sbomGeneratorEnv = "BASHBREW_BUILDKIT_SBOM_GENERATOR"
buildxBuilderEnv = "BUILDX_BUILDER"

A little confused by the need for this change. Currently, the SBOM generator is set via BASHBREW_BUILDKIT_SBOM_GENERATOR in the environment, so an export BASHBREW_BUILDKIT_SBOM_GENERATOR=... should be enough to change it to something custom for local build tests (along with a BUILDX_BUILDER name).

I'm not sure I see why we'd need a different SBOM generator per tag of an image (or even per image repo). I'd be very hesitant to add new fields to the library files (the Manifest2822Entry) without a large need in Docker Official Images.

@LaurentGoderre
Copy link
Member Author

@yosifkit this allows specifying an alternate one for an image. In this case: clearlinux

@LaurentGoderre
Copy link
Member Author

@yosifkit example of an SBOM created buy another tool: https://explore.ggcr.dev/?blob=laurentgoderre689/clearlinux@sha256:bdb988504c07acf67d1b35c44fd2a982430ebf5984d3827596b9a7d2a70593b2&mt=application%2Fvnd.in-toto%2Bjson&size=14958

@tianon
Copy link
Member

tianon commented Jun 6, 2024

I don't think we currently have any other images that are FROM clearlinux, but if we did, wouldn't they then need both this clearlinux-custom SBOM generation method and the normal one so that we pick up any non-package-provided binaries correctly too? (from that perspective, IMO it makes more sense to either improve the existing SBOM scanner or convince clearlinux to embed the result in their images and suggest anyone FROM clearlinux also run this tool and embed the result, but all that still feels like we're missing something in the main SBOM scanner, especially if clearlinux becomes popular enough to warrant the level of effort)

@whalelines
Copy link

Is this still relevant/needed?

@LaurentGoderre
Copy link
Member Author

I still think it is

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whalelines whalelines whalelines left review comments

@tianon tianon Awaiting requested review from tianon tianon is a code owner

@yosifkit yosifkit Awaiting requested review from yosifkit yosifkit is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LaurentGoderre @yosifkit @tianon @whalelines