From 0c1fd35428fb34144642e9b8f2b54a2d144c6a2d Mon Sep 17 00:00:00 2001 From: Anthony Emengo Date: Mon, 25 Oct 2021 22:03:19 -0400 Subject: [PATCH] Add run image SBOM Signed-off-by: Anthony Emengo --- text/0000-run-image-sbom.md | 70 +++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 text/0000-run-image-sbom.md diff --git a/text/0000-run-image-sbom.md b/text/0000-run-image-sbom.md new file mode 100644 index 000000000..437cb232e --- /dev/null +++ b/text/0000-run-image-sbom.md @@ -0,0 +1,70 @@ +# Meta +[meta]: #meta +- Name: Run Image Structured SBOM +- Start Date: 2021-10-25 +- Author(s): aemengo +- Status: Draft +- RFC Pull Request: (leave blank) +- CNB Pull Request: (leave blank) +- CNB Issue: (leave blank) +- Supersedes: (put "N/A" unless this replaces an existing RFC, then link to that RFC) + +# Summary +[summary]: #summary + +This RFC proposes the following - + +- A run image can contain a layer holding an SBOM (in format of CycloneDX or SBOM) of installed packages at `/sbom/bom..json`, where `` will be `cdx` for CycloneDX documents and `spdx` for SPDX documents. These will initially be the only 2 supported SBOM versions. +- The digest of this layer is written as a `LABEL` on the corresponding run image with the key: `io.buildpacks.sbom`. + +# Definitions +[definitions]: #definitions + +- SBOM (Software Bill Of Materials) / BOM: A list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. In case of buildpacks the SBOM describes the contents of the various layers, buildpacks, stacks and the output app container. +- Run Image: A container image that serves as a base image for application images in the buildpack toolchain. + +# Motivation +[motivation]: #motivation + +This RFC serves as an addendum to [#RFC 95: SBOM](https://github.com/buildpacks/rfcs/blob/main/text/0095-sbom.md) which introduces the SBOM for buildpack installed packages. For a full depiction of packages within a container image, container scanning tools would _also_ need an SBOM of the installed OS packages. These multiple SBOM files would be merged as part of the lifecycle build process, for easy consumption by an automated scanning tool. + +# What it is +[what-it-is]: #what-it-is + +A stack creator is permitted to specify a SBOM for a given run image, in one discrete layer, at the following file path: + +```shell +/sbom +└── bom..json +``` + +And a label with key of `io.buildpacks.sbom`, and value of the digest of this layer, stored as metadata on the run image. + +When the lifecycle comes across a run image with this label and valid digest, it will attempt to merge this SBOM with any SBOMs delivered by buildpacks (during the build phase) and output them at `/layers/config//sbom/bom.`, per [#RFC 95: SBOM](https://github.com/buildpacks/rfcs/blob/main/text/0095-sbom.md). Initially this merging will only be supported for CycloneDX as it has a well-defined and efficient way of merging multiple `bom` files. A reference implementation can be found at the [`cyclonedx-cli`](https://github.com/CycloneDX/cyclonedx-cli) project. In the future we may add support for merging SPDX `bom` files as well. + +Merging different formats (CycloneDX/SPDX/Legacy CNB format) is a non-goal and will not be supported. + +# Drawbacks +[drawbacks]: #drawbacks + +This RFC tries to thrust a paradigm which is an even greater burden on stack operators, in light of the recently approved [#RFC 96: Remove Stacks](https://github.com/buildpacks/rfcs/blob/main/text/0096-remove-stacks-mixins.md). + +# Alternatives +[alternatives]: #alternatives + + - + +# Prior Art +[prior-art]: #prior-art + +- [#RFC 95: SBOM](https://github.com/buildpacks/rfcs/blob/main/text/0095-sbom.md) + +# Unresolved Questions +[unresolved-questions]: #unresolved-questions + + - + +# Spec. Changes (OPTIONAL) +[spec-changes]: #spec-changes + +- The [platform.md#run-image](https://github.com/buildpacks/spec/blob/main/platform.md#run-image) would need an addition for the `io.buildpacks.sbom` key, referencing the layer digest that holds the run-image BOM.