[SBOM] Attestation is missing a subject with digest #3528
Comments
netomi
added
the
enhancement
|
The CycloneDX format has a hashes attribute: https://cyclonedx.org/docs/1.4/json/#metadata_component_hashes the file name could be encoded in https://cyclonedx.org/docs/1.4/json/#metadata_component_properties |
|
hmm actually the way the sbom is currently organized is that it captures all artifacts for a specific architecture in a single file
the top level component indicates the product (Eclipse Temurin), version and architecture it has been built for. The indivual artifacts that are produced are captured in the components array. So ideally the hashes information and file name should be added there. Additionally, checking the existing sboms, I could only find the JDK component in the array of components, I would expect also the JRE (and the other mentioned) component to appear there. |
|
@netomi yes, we need to add the "Artifact" and SHA to the "Eclipse Temurin" Component. As with any generic schema, we need to work out how to encode it. I think we probably need to add a sub-Component object to the "Eclipse Temurin" Component for each Artifact, and for each Artifact Component uses the hashes field. (https://cyclonedx.org/docs/1.5/json/#components_items_components) |
netomi
changed the title
and others
While looking in the sbom files for further validation, I noticed that currently there is no subject with digest stored in the sbom. See https://slsa.dev/attestation-model for terminology.
Without such a subject you will not be able to associate an sbom with an artifact and validate that a certain artifact (identified by its digest) is attested by the provenance that is provided (the sbom in the case of temurin).
Currently the sbom contains that information:
we should add there the sha265 hash and also the filename of the artifact as generated during the build.
I can create a PR to add this and also update the validate script accordingly.
The text was updated successfully, but these errors were encountered: