Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new command: pack sbom download #1351

Merged
merged 2 commits into from
Feb 3, 2022
Merged

Add new command: pack sbom download #1351

merged 2 commits into from
Feb 3, 2022

Conversation

aemengo
Copy link
Contributor

@aemengo aemengo commented Dec 22, 2021
edited
Loading

Summary

Add command to download image SBOM to specified directory

pack download-sbom aemengo/hello [--local] [--remote] [--output-dir /tmp/some-directory]

Documentation

Related

#1335

@github-actions github-actions bot added this to the 0.23.0 milestone Dec 22, 2021
@github-actions github-actions bot added the type/enhancement Issue that requests a new feature or improvement. label Dec 22, 2021
@aemengo aemengo mentioned this pull request Dec 22, 2021
Closed
@dfreilich dfreilich mentioned this pull request Jan 3, 2022
Closed
1 task
dfreilich
dfreilich reviewed Jan 3, 2022
View reviewed changes
Copy link
Member

@dfreilich dfreilich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great direction!

internal/commands/download_sbom.go Outdated Show resolved Hide resolved
internal/commands/download_sbom.go Show resolved Hide resolved
internal/commands/download_sbom.go Outdated Show resolved Hide resolved
pkg/client/download_sbom.go Show resolved Hide resolved
@dfreilich dfreilich modified the milestones: 0.23.0, 0.24.0 Jan 3, 2022
@codecov
Copy link

codecov bot commented Jan 3, 2022
edited
Loading

Codecov Report

Merging #1351 (7db1ac5) into main (9402d07) will decrease coverage by 0.06%.
The diff coverage is 72.89%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1351      +/-   ##
==========================================
- Coverage   81.47%   81.42%   -0.05%     
==========================================
  Files         148      151       +3     
  Lines        9598     9657      +59     
==========================================
+ Hits         7819     7862      +43     
- Misses       1313     1327      +14     
- Partials      466      468       +2
Flag Coverage Δ
os_linux 80.12% <72.89%> (-0.04%) ⬇️
os_macos 77.55% <72.89%> (-<0.01%) ⬇️
os_windows 81.29% <72.89%> (-0.05%) ⬇️
unit 81.42% <72.89%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@aemengo aemengo marked this pull request as ready for review January 3, 2022 22:01
@aemengo aemengo requested a review from a team as a code owner January 3, 2022 22:01
jromero
jromero reviewed Jan 7, 2022
View reviewed changes
cmd/cmd.go Outdated Show resolved Hide resolved
jromero
jromero reviewed Jan 7, 2022
View reviewed changes
internal/commands/download_sbom.go
Use: "download-sbom <image-name>",
Args: cobra.ExactArgs(1),
Short: "Download SBoM from specified image",
Long: "Download layer containing Structured Bill of Materials (SBoM) from specified image",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this sbom downloading only work for "app" images? Not run images?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once again, are you referring to buildpacks/rfcs#186? As of today, this RFC hasn't been approved and it might be a pre-optimization to implement in light of this.

@aemengo aemengo force-pushed the download-sbom branch 3 times, most recently from e6ab64f to f027b65 Compare January 10, 2022 14:01
@aemengo aemengo mentioned this pull request Jan 18, 2022
Closed
@sambhav
Copy link
Member

sambhav commented Jan 24, 2022

@aemengo @dfreilich any updates on this?

dfreilich
dfreilich approved these changes Feb 1, 2022
View reviewed changes
Copy link
Member

@dfreilich dfreilich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spectacular! Just a few nits I'd like to see changed, but overall this really worked like a charm!

UA

> ./out/pack sbom
Interact with SBoM

Usage:
  pack sbom [command]

Available Commands:
  download    Download SBoM from specified image

Flags:
  -h, --help   Help for 'sbom'

Global Flags:
      --no-color     Disable color output
  -q, --quiet        Show less output
      --timestamps   Enable timestamps in output
  -v, --verbose      Show more output

Use "pack sbom [command] --help" for more information about a command.
> ./out/pack sbom download
Error: accepts 1 arg(s), received 0
Usage:
  pack sbom download <image-name> [flags]

Examples:
pack sbom download buildpacksio/pack

Flags:
  -h, --help                Help for 'download'
      --local               Pull SBoM from local daemon (Default)
      --output-dir string   Path to export SBoM contents.
                            It defaults export to the current working directory. (default ".")
      --remote              Pull SBoM from remote registry

Global Flags:
      --no-color     Disable color output
  -q, --quiet        Show less output
      --timestamps   Enable timestamps in output
  -v, --verbose      Show more output

sbom download on image without an SbOM

> ./out/pack sbom download buildpacksio/pack --remote --output-dir /tmp/pack-sbom
ERROR: could not find SBoM information on 'buildpacksio/pack'
> docker images | grep buildpacksio/pack

sbom download on image with it, from remote registry

> ./out/pack sbom download aemengo/hello --remote --output-dir /tmp/sbom-hello
> tree /tmp/sbom-hello
/tmp/sbom-hello
└── layers
    └── sbom
        └── launch
            └── paketo-buildpacks_ca-certificates
                └── helper
                    └── sbom.syft.json

5 directories, 1 file

> cat /tmp/sbom-hello/layers/sbom/launch/paketo-buildpacks_ca-certificates/helper/sbom.syft.json
{"Artifacts":[{"ID":"b4a6352954da741c","Name":"helper","Version":"3.0.1","Type":"UnknownPackage","FoundBy":"libpak","Locations":[{"Path":"ca-certificates-helper"}],"Licenses":["Apache-2.0"],"Language":"","CPEs":["cpe:2.3:a:paketo-buildpacks/ca-certificates:ca-certificates-helper:3.0.1:*:*:*:*:*:*:*"],"PURL":"pkg:generic/paketo-buildpacks/ca-certificates@3.0.1"}],"Source":{"Type":"directory","Target":"/layers/paketo-buildpacks_ca-certificates/helper"},"Descriptor":{"Name":"syft","Version":"0.30.1"},"Schema":{"Version":"1.1.0","URL":"https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-1.1.0.json"}}%

sbom download from local image

> ./out/pack sbom download test --output-dir /tmp/pack-sbom
> tree /tmp/pack-sbom
/tmp/pack-sbom
└── layers
    └── sbom
        └── launch
            └── paketo-buildpacks_ca-certificates
                └── helper
                    └── sbom.syft.json

internal/commands/download_sbom.go Show resolved Hide resolved
internal/commands/download_sbom.go Outdated Show resolved Hide resolved
internal/commands/download_sbom.go Outdated Show resolved Hide resolved
internal/commands/download_sbom.go Outdated Show resolved Hide resolved
pkg/client/download_sbom.go Show resolved Hide resolved
@sambhav
Copy link
Member

sambhav commented Feb 1, 2022

small nitpick - should we rename the command to pack fetch-sbom instead? download seems a bit weird for local images.

Anthony Emengo added 2 commits February 2, 2022 10:17
Add new command: pack download-sbom
e638b02 
Signed-off-by: Anthony Emengo <aemengo@vmware.com>
Address PR comments
7db1ac5 
- pack download-sbom -> pack sbom download ....
- Add warning message for pack inspect-image <> --bom
- Remove --local flag
- Add -o shorthand for --output-dir flag

Signed-off-by: Anthony Emengo <aemengo@vmware.com>
@aemengo
Copy link
Contributor Author

aemengo commented Feb 2, 2022

small nitpick - should we rename the command to pack fetch-sbom instead? download seems a bit weird for local images.

I have no strong feelings. @dfreilich Can you confirm that this is what you'd prefer?

@dfreilich
Copy link
Member

I actually think download is more akin to what it actually does. I would expect fetch to fetch and display out, while download preserves the files on the local FS. No major skin in the game though, and given that @samj1912 has been a key player in the SBoM situation thus far, I'm happy going with his sugestion

@sambhav
Copy link
Member

sambhav commented Feb 2, 2022

Was just a nit pick, don't mind either way. At this point I am just eagerly waiting for this release! Thanks for working on this @aemengo!

@dfreilich dfreilich merged commit 61dc8c7 into buildpacks:main Feb 3, 2022
@dfreilich dfreilich changed the title Add new command: pack download-sbom Add new command: pack sbom download Feb 3, 2022
@ryanmoran ryanmoran mentioned this pull request Feb 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jromero jromero jromero left review comments

@dfreilich dfreilich dfreilich approved these changes

Assignees
No one assigned
Labels
type/enhancement Issue that requests a new feature or improvement.
Projects
None yet
Milestone
0.24.0
Development

Successfully merging this pull request may close these issues.
4 participants
@aemengo @sambhav @dfreilich @jromero