Add sbom scanning command

docker-library · Oct 16, 2024 · 8a61755 · 8a61755
1 parent e22b5e2
commit 8a61755
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 15 deletions.
diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
@@ -53,6 +53,22 @@ jq '
 ' temp/index.json > temp/index.json.new
 mv temp/index.json.new temp/index.json
 # </build>
+# <sbom_scan>
+docker create --name img oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43@sha256:0432a4d379794811b4a2e01d0d3e67a9bcf95d6c2bf71545f03bce3f1d60f401
+docker export img > img.tar
+mkdir img
+mkdir sbom
+tar -xf img.tar -C img/
+docker run \
+	-u root \
+	--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
+	-v ./sbom:/out \
+	-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
+	-e BUILDKIT_SCAN_DESTINATION=/out \
+	$BASHBREW_BUILDKIT_SBOM_GENERATOR
+subjects=$(echo "$json" | jq -r -L.scripts 'include "meta"; subjects(image_digest)')
+jq --argjson subjects "$subjects" '.subject |= $subjects' sbom/sbom.spdx.json > sbom.json
+# </sbom_scan>
 # <push>
 crane push temp 'oisupport/staging-amd64:4b199ac326c74b3058a147e14f553af9e8e1659abc29bd3e82c9c9807b66ee43'
 rm -rf temp
@@ -88,6 +104,22 @@ SOURCE_DATE_EPOCH=1700741054 \
 	--file 'Dockerfile' \
 	'https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/windows/windowsservercore-ltsc2022'
 # </build>
+# <sbom_scan>
+docker create --name img oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e@sha256:69aba7120e3f4014bfa80f4eae2cfc9698dcb6b8a5d64daf06de4039a19846ce
+docker export img > img.tar
+mkdir img
+mkdir sbom
+tar -xf img.tar -C img/
+docker run \
+	-u root \
+	--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
+	-v ./sbom:/out \
+	-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
+	-e BUILDKIT_SCAN_DESTINATION=/out \
+	$BASHBREW_BUILDKIT_SBOM_GENERATOR
+subjects=$(echo "$json" | jq -r -L.scripts 'include "meta"; subjects(image_digest)')
+jq --argjson subjects "$subjects" '.subject |= $subjects' sbom/sbom.spdx.json > sbom.json
+# </sbom_scan>
 # <push>
 docker push 'oisupport/staging-windows-amd64:9b405cfa5b88ba65121aabdb95ae90fd2e1fee7582174de82ae861613ae3072e'
 # </push>
@@ -174,6 +206,22 @@ done
 jq -r --argjson sbomManifestDesc "$sbomManifestDesc" '.manifests += [ $sbomManifestDesc ]' temp/index.json > temp/index.json.new
 mv temp/index.json.new temp/index.json
 # </build>
+# <sbom_scan>
+docker create --name img oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f@sha256:4be429a5fbb2e71ae7958bfa558bc637cf3a61baf40a708cb8fff532b39e52d0
+docker export img > img.tar
+mkdir img
+mkdir sbom
+tar -xf img.tar -C img/
+docker run \
+	-u root \
+	--mount type=bind,source="$(pwd)/img",target=/run/src/core/sbom,readonly \
+	-v ./sbom:/out \
+	-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom \
+	-e BUILDKIT_SCAN_DESTINATION=/out \
+	$BASHBREW_BUILDKIT_SBOM_GENERATOR
+subjects=$(echo "$json" | jq -r -L.scripts 'include "meta"; subjects(image_digest)')
+jq --argjson subjects "$subjects" '.subject |= $subjects' sbom/sbom.spdx.json > sbom.json
+# </sbom_scan>
 # <push>
 crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'
 rm -rf temp

diff --git a/meta.jq b/meta.jq
@@ -369,6 +369,62 @@ def build_command:
 		error("unknown/unimplemented Builder: \($builder)")
 	end
 ;
+
+def subjects($digest):
+	[
+		($digest | split(":")) as $splitDigest
+		| (.source.arches[.build.arch].platformString) as $platform
+		| (
+			.source.arches[.build.arch].tags[],
+			.source.arches[.build.arch].archTags[],
+			.build.img,
+			.build.img_mock,
+			empty # trailing comma
+		)
+		| {
+			# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
+			name: "pkg:docker/\(.)?platform=\($platform | @uri)",
+			digest: { ($splitDigest[0]): $splitDigest[1] },
+		}
+	]
+;
+
+# input: "build" object (with "buildId" top level key)
+def image_digest:
+	.build.resolved.manifests[0].digest
+;
+
+# input: "build" object (with "buildId" top level key)
+def image_ref:
+	"\(.build.img)@\(image_digest)"
+;
+
+# input: "build" object (with "buildId" top level key)
+# output: string "command for generating an SBOM from an OCI layout", may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
+def sbom_command:
+	[
+		"docker create --name img \(image_ref)",
+		"docker export img > img.tar",
+		"mkdir img",
+		"mkdir sbom",
+		"tar -xf img.tar -C img/",
+		(
+			[
+				"docker run",
+				"-u root",
+				"--mount type=bind,source=\"$(pwd)/img\",target=/run/src/core/sbom,readonly",
+				"-v ./sbom:/out",
+				"-e BUILDKIT_SCAN_SOURCE=/run/src/core/sbom",
+				"-e BUILDKIT_SCAN_DESTINATION=/out",
+				"$BASHBREW_BUILDKIT_SBOM_GENERATOR",
+				empty
+			] | join(" \\\n\t")
+		),
+		"jq '.subject |= \(subjects(image_digest))' sbom/sbom.spdx.json > sbom.json",
+		empty
+	] | join("\n")
+;
+
 # input: "build" object (with "buildId" top level key)
 # output: string "push command" ("docker push ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail"
 def push_command:
@@ -398,6 +454,7 @@ def commands:
 	{
 		pull: pull_command,
 		build: build_command,
+		sbom_scan: sbom_command,
 		push: push_command,
 	}
 ;
diff --git a/provenance.jq b/provenance.jq
@@ -1,3 +1,5 @@
+include "meta";
+
 # input: "build" object with platform and image digest
 #   $github: "github" context; CONTAINS SENSITIVE INFORMATION (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context)
 #   $runner: "runner" context; https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#runner-context
@@ -9,21 +11,7 @@ def github_actions_provenance($github; $runner; $digest):
 	if $github.event_name != "workflow_dispatch" then error("error: '\($github.event_name)' is not a supported event type for provenance generation") else
 		{
 			_type: "https://in-toto.io/Statement/v1",
-			subject: [
-				($digest | split(":")) as $splitDigest
-				| (.source.arches[.build.arch].platformString) as $platform
-				| (
-					.source.arches[.build.arch].tags[],
-					.source.arches[.build.arch].archTags[],
-					.build.img,
-					empty # trailing comma
-				)
-				| {
-					# https://github.com/package-url/purl-spec/blob/b33dda1cf4515efa8eabbbe8e9b140950805f845/PURL-TYPES.rst#docker (this matches what BuildKit generates as of 2024-09-18; "oci" would also be a reasonable choice, but would require signer and policy changes to support, and be more complex to generate accurately)
-					name: "pkg:docker/\(.)?platform=\($platform | @uri)",
-					digest: { ($splitDigest[0]): $splitDigest[1] },
-				}
-			],
+			subject: subjects($digest),,
 			predicateType: "https://slsa.dev/provenance/v1",
 			predicate: {
 				buildDefinition: {