Treat cosign SBOM and Attestation artifacts as "accessories" #17630
Comments
|
The OCI spec now supports "reference types". Cosign already has plans to support this new spec: sigstore/cosign#1397 It probably makes sense to base the "accessories" feature of Harbor on that spec eventually. |
|
Yes, currently Harbor does not recognize sbom, but we have plans to support it. We have been looking at reference support in OCI, but it is still not finalized. |
wy65701436
added
kind/requirement
|
Feel free to close this in favor of #17928 |
|
I don't know if I should open a new issue for this but SBOM in the CycloneDX format and uploaded by cosign in Harbor are not used for vulnerability scanning. It is listed as an accessory but nothing more. Re-running the vulnerability scan does not use the accessory SBOM. Of course, I analyzed my SBOM locally with Trivy and it found some vulnerabilities (which are not listed by Harbor) so I'm sure it's Harbor that does not use the accessory. I used the expirimental flags from cosign to upload the SBOM and attach it correctly: $ COSIGN_EXPERIMENTAL=1 COSIGN_OCI_EXPERIMENTAL=1 cosign attach sbom \
--sbom path/to/generated/bom.json \
--type cyclonedx \
--registry-referrers-mode oci-1-1 \
my-registry.example.com/workspace/image:tag |
|
@sambonbonne I feel like what you are describing is a completely different issue. In fact, I don't expect Harbor to use the uploaded SBOM for anything at all. I actually think this issue could be closed. When using the OCI 1.1 features of cosign, Harbor behaves exactly as I wanted it to pre-OCI-1.1. Unfortunately Cosign still doesn't support to push attestations as proper OCI artifacts, but this is probably just a matter of time and we are probably migrating to Notary v2 (ORAS) anyway, for exactly this reason. As soon as cosign supports OCI 1.1 for all its produced artifacts, there will be no need for Harbor to treat in-toto attestations as anything special. |
Since Harbor 2.5.0 there is support for Cosign signatures (:tada:). When viewed inside harbor, the signature-images are shown as an "Accessory":
That is a very nice presentation of the signature artifact! Another nice effect of handling signatures as "accessories" is the fact that Trivy doesn't try to scan the signature-image this way. This is a good thing, because Trivy cannot handle these images and errors out.
This is exactly what happens when using cosign to attach SBOMs (
cosign attach sbom ...) or attestations (cosign attest ...). Similar to signatures (tag-suffix.sig), cosign pushes SBOMs (tag-suffix.sbom) and attestations (tag-suffix.att) as additional artifacts.Unfortunately, Harbor currently doesn't know how to handle these sbom- and att-artifacts. They are not listed as accessories, so Trivy tries to scan them, resulting in ugly error messages. Here is an example for an
.sbomartifact:When I click on "View logs", the log shows this:
Because of this, I think
.attand.sbomartifacts should be treated as accessories, exactly the same way as.sigartifacts.Cosign uses the exact same naming conventions for
.sbomand.attartifacts as for.sigartifacts, only the suffix is different. There is probably a lot of existing code in Harbor that can be reused for this.Beware: SBOM and attestation-artifacts can have their own signatures-artifacts! If
.sbomand.attartifacts are handled as accessories, this means that they can have their own accessories. I don't know if or how nested accessories should be handled.Versions:
The text was updated successfully, but these errors were encountered: