Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue preventing some SBOMs being fetched from Docker Hub #1119

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix issue preventing some SBOMs being fetched from Docker Hub #1119

wants to merge 3 commits into from
+15 −2

Conversation

willdollman
Copy link
Contributor

@willdollman willdollman commented Oct 16, 2024
edited
Loading

Since we've cut the 5.8.1579 release, I've been able to retest src sbom fetch against Docker Hub - this was the first release to publish SBOMS to Docker Hub. This identified a few bugs I didn't run into during the original limited testing, and are fixed in this PR:

  • Some images return the wrong digest due to a malformed Accept header
  • In some cases Cosign publishes multiline attestations

Test plan

  • Local testing - fetched full set of published SBOMs from Docker Hub
  • CI

@willdollman willdollman self-assigned this Oct 16, 2024
@willdollman willdollman changed the title Will/SBOM fetch dockerhub bugfixes Fix issue preventing some SBOMs being fetched from Docker Hub Oct 16, 2024
@willdollman
Copy link
Contributor Author

willdollman commented Oct 16, 2024
edited
Loading

Fetching full set of SBOMs from Docker Hub:

> go run ./cmd/src sbom fetch -v 5.8.1579
Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.8.1579 release...

✅ sourcegraph/appliance
✅ sourcegraph/batcheshelper
✅ sourcegraph/bundled-executor
✅ sourcegraph/cody-gateway
✅ sourcegraph/executor
✅ sourcegraph/executor-kubernetes
✅ sourcegraph/frontend
✅ sourcegraph/gitserver
✅ sourcegraph/migrator
✅ sourcegraph/precise-code-intel-worker
✅ sourcegraph/repo-updater
✅ sourcegraph/searcher
✅ sourcegraph/server
✅ sourcegraph/symbols
✅ sourcegraph/worker
✅ sourcegraph/alpine-3.14
✅ sourcegraph/appliance-frontend
✅ sourcegraph/blobstore
✅ sourcegraph/caddy
✅ sourcegraph/cadvisor
✅ sourcegraph/codeinsights-db
✅ sourcegraph/codeintel-db
✅ sourcegraph/dind
✅ sourcegraph/executor-vm
✅ sourcegraph/grafana
✅ sourcegraph/indexed-searcher
✅ sourcegraph/jaeger-agent
✅ sourcegraph/jaeger-all-in-one
✅ sourcegraph/node-exporter
✅ sourcegraph/opentelemetry-collector
✅ sourcegraph/postgres-12-alpine
✅ sourcegraph/postgres_exporter
✅ sourcegraph/prometheus
✅ sourcegraph/redis-cache
✅ sourcegraph/redis-store
✅ sourcegraph/redis_exporter
✅ sourcegraph/search-indexer
✅ sourcegraph/sg
✅ sourcegraph/syntax-highlighter

🟢 Fetched verified SBOMs for 39 images

Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.8.1579`.

Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used.

@willdollman willdollman marked this pull request as ready for review October 16, 2024 21:59
@willdollman willdollman requested a review from a team as a code owner October 16, 2024 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camdencheek camdencheek camdencheek approved these changes

Assignees

@willdollman willdollman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willdollman @camdencheek