Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sbom: include external refs for fetched sourcecode in SPDX #1218

Merged
merged 10 commits into from
May 22, 2024
Merged

sbom: include external refs for fetched sourcecode in SPDX #1218

merged 10 commits into from
May 22, 2024

Conversation

xnox
Copy link
Contributor

@xnox xnox commented May 17, 2024
edited
Loading

External References to sources

This aids with many aspects of compliance, and ability to self-locate all relevant source code.

This will be present in every package sbom, and by extension every image sbom accessible from console and container registry.

This is extensible to accommodate any other future inputs.

Current state:

Currently we generate external self-reference to the binary APK package

      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:apk/wolfi/acl@2.3.2-r2?arch=x86_64",
          "referenceType": "purl"
        }
      ]

This proposal extends this array with additional references to the source code.

For fetch:

Add Package-URL to the download URI with checksum argument.

2024/05/17 16:18:51 INFO adding external refs [pkg:generic/acl@2.3.2?checksum=sha256%3A5f2bdbad629707aa7d85c623f994aa8a1d2dec55a73de5205bac0bf6058a2f7c&download_url=https%3A%2F%2Fdownload.savannah.nongnu.org%2Freleases%2Facl%2Facl-2.3.2.tar.gz] for pipeline "fetch"

Resulting SBOM then has for the package this information:

        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:generic/acl@2.3.2?checksum=sha256%3A5f2bdbad629707aa7d85c623f994aa8a1d2dec55a73de5205bac0bf6058a2f7c&download_url=https%3A%2F%2Fdownload.savannah.nongnu.org%2Freleases%2Facl%2Facl-2.3.2.tar.gz",
          "referenceType": "purl"
        }

For github based git-checkouts

Add Package-URL to the github location with tag & commit-id versions.

2024/05/17 23:14:36 INFO adding external refs [pkg:github/sigstore/cosign@v2.2.4 pkg:github/sigstore/cosign@fb651b4ddd8176bd81756fca2d988dd8611f514d] for pipeline "git-checkout"

        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:github/sigstore/cosign@v2.2.4",
          "referenceType": "purl"
        },
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:github/sigstore/cosign@fb651b4ddd8176bd81756fca2d988dd8611f514d",
          "referenceType": "purl"
        }

For non-github based git-checkouts

Add Package-URL to vcs location with tag as version and commit encoded as @commit (approximately similar to how many tools pin to a commit, i.e. pip)

2024/05/20 14:34:53 INFO adding external refs [pkg:generic/hello@v0.0.1?vcs_url=git%2Bhttps%3A%2F%2Fgitlab.com%2Fxnox%2Fhello.git%40a73c4feb284dc6ed1e5758740f717f99dcd4c9d7] for pipeline "git-checkout"

        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:generic/hello@v0.0.1?vcs_url=git%2Bhttps%3A%2F%2Fgitlab.com%2Fxnox%2Fhello.git%40a73c4feb284dc6ed1e5758740f717f99dcd4c9d7",
          "referenceType": "purl"
        },

For melange config itself

Add Package-URL to github location with commit as version and subpath set to the melange configfile.

2024/05/20 14:34:53 INFO adding external ref pkg:github/chainguard-dev/melange@7b29d0fe879878add7a26d515e679bab25047bfd#examples/git-checkout.yaml for ConfigFile**

        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:github/chainguard-dev/melange@7b29d0fe879878add7a26d515e679bab25047bfd#examples/git-checkout.yaml",
          "referenceType": "purl"
        }

@xnox
sbom: include external refs for fetched tarballs in SPDX
cc6be13 
This aids with many aspects of compliance.

2024/05/17 16:18:51 INFO melange is building:
2024/05/17 16:18:51 INFO   configuration file: ./acl.yaml
2024/05/17 16:18:51 INFO   workspace dir: /tmp/melange-workspace-17131835
2024/05/17 16:18:51 INFO evaluating pipelines for package requirements
**2024/05/17 16:18:51 INFO   adding external refs [pkg:generic/?checksum=sha256%3A5f2bdbad629707aa7d85c623f994aa8a1d2dec55a73de5205bac0bf6058a2f7c&download_url=https%3A%2F%2Fdownload.savannah.nongnu.org%2Freleases%2Facl%2Facl-2.3.2.tar.gz] for pipeline "fetch"**
2024/05/17 16:18:51 INFO   adding packages [wget] for pipeline "Fetch and extract external object into workspace"
2024/05/17 16:18:51 INFO   adding packages [make] for pipeline "Run autoconf make"
2024/05/17 16:18:51 INFO   adding packages [make] for pipeline "Run autoconf make install"

```json
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:apk/wolfi/acl@2.3.2-r2?arch=x86_64",
          "referenceType": "purl"
        },
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceLocator": "pkg:generic/acl@2.3.2?checksum=sha256%3A5f2bdbad629707aa7d85c623f994aa8a1d2dec55a73de5205bac0bf6058a2f7c&download_url=https%3A%2F%2Fdownload.savannah.nongnu.org%2Freleases%2Facl%2Facl-2.3.2.tar.gz",
          "referenceType": "purl"
        }
      ]
```

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox xnox force-pushed the external-purls branch from 4ac673f to cc6be13 Compare May 17, 2024 15:21
imjasonh
imjasonh reviewed May 17, 2024
View reviewed changes
Copy link
Member

@imjasonh imjasonh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks GREAT. A couple minor style nits I noticed before I realized this was a Draft. With some tests, I'd merge this soooo fast.

xnox added 2 commits May 17, 2024 22:45
@xnox
Style review comments
14ef3c8 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox
Generate fully qualified and normalized PURLs straight away
8714ab1 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox xnox force-pushed the external-purls branch from f39c3b5 to 8714ab1 Compare May 17, 2024 21:45
xnox added 4 commits May 17, 2024 23:17
@xnox
externalRefs: implement github git-checkout
9c0e9a1 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox
lint
c76f025 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox
sbom: add external ref ConfigFile itself
8fc050f 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox
github: add SBOM external ref checks
c03d88b 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox xnox force-pushed the external-purls branch from ddca2f6 to c03d88b Compare May 20, 2024 13:00
xnox added 2 commits May 20, 2024 14:32
@xnox
sbom: add support for generic git-checkout urls
7b29d0f 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox
githuib: Fixup melange configfile test case
4125a68 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox xnox changed the title sbom: include external refs for fetched tarballs in SPDX sbom: include external refs for fetched sourcecode in SPDX May 20, 2024
@xnox xnox marked this pull request as ready for review May 20, 2024 13:53
imjasonh
imjasonh previously approved these changes May 20, 2024
View reviewed changes
@xnox
Copy link
Contributor Author

xnox commented May 20, 2024
edited
Loading

Question: what i am not sure about is if these references should be added on the binary package, or if they should be added on each binary package, or on a separate source package.

I am not sure there is any value in splitting our "package" stanza into two, and adding relationships on how binary ones are generated from the source ones. Especially since these do not ship the source code itself, but are merely references. If and when we generate something that is downloadable and contains all the cached code, it might be worth documenting that as standalone spdx package with intent source.

@xnox xnox added the blocked indicates there are blocking issues that need to be addressed before progress can be made label May 20, 2024
@xnox
Copy link
Contributor Author

xnox commented May 20, 2024

We need to assess how scanners will react to such a change.

@xnox
Verify wolfictl scan works
2ff511f 
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
@xnox xnox force-pushed the external-purls branch from 550fcd5 to 2ff511f Compare May 22, 2024 09:52
@xnox
Copy link
Contributor Author

xnox commented May 22, 2024

wolfictl scan passes with these changes to SPDX.

@xnox
Copy link
Contributor Author

xnox commented May 22, 2024

2024/05/22 12:44:59 INFO adding external ref for ConfigFile
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xf3f60d]

har har har

@xnox xnox removed the blocked indicates there are blocking issues that need to be addressed before progress can be made label May 22, 2024
@xnox
Copy link
Contributor Author

xnox commented May 22, 2024

I have locally rebuilt a collection of packages to make glibc-dynamic and cert-exporter images with updated spdx. All existing tools and parsing mechanisms still work. And grype / syft all work correctly too without any averse effects.

@xnox xnox merged commit e162d67 into chainguard-dev:main May 22, 2024
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xnox @imjasonh