Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload SBOM directly to OCI registry #592

Open
developer-guy opened this issue Oct 26, 2021 · 17 comments
Open

Upload SBOM directly to OCI registry #592

developer-guy opened this issue Oct 26, 2021 · 17 comments
Assignees
Labels

Comments

@developer-guy
Copy link
Contributor

developer-guy commented Oct 26, 2021

What would you like to be added:

cosign supports attaching SBOMs to OCI registries1 (also has a spec for it 2), so we (w/@Dentrax) thought that it would be nice to have the same one for Syft, here is the design that we thought.

$ syft packages <image> -o oci://<repository>/<image>

Why is this needed:

Additional context:

cc: @dlorenc @luhring

Footnotes

  1. https://github.com/sigstore/cosign/blob/1f67ea73113f76c62429aa605d75105d77c370fa/cmd/cosign/cli/attach.go#L57

  2. https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md

@developer-guy developer-guy added the enhancement New feature or request label Oct 26, 2021
@developer-guy
Copy link
Contributor Author

we (w/@Dentrax) are the volunteers of this issue, btw 😍

@luhring
Copy link
Contributor

luhring commented Oct 26, 2021

we (w/@Dentrax) are the volunteers of this issue, btw

Awesome!!!!

@luhring
Copy link
Contributor

luhring commented Oct 26, 2021

I think this feature would be related to #510 — having Syft perform a Cosign-style attest operation, and putting the attestation into the OCI registry.

As far as CLI syntax, for #510 we realized that we want this to be separate from the format flag (-o), since users still might need a choice for format of the SBOM. We landed on introducing a new attest subcommand, to which we could attach relevant configuration for performing the attestation.

My two cents: a similar approach would make sense for Syft following the cosign attach sbom ... process:

syft attach <image>

Thinking that <image> would specify a container image URL, Syft could use this reference to know where to push the attachment, similar to what happens in Cosign.

What do you think?

@developer-guy
Copy link
Contributor Author

yeah, SGTM, we (w/@Dentrax) can make it happen if you all agree on this attach command. We can start working on it ASAP.

Let me summarize the steps that we are going to take:

  1. Create a new command called attach.
  2. Take a container image URL as an argument.
  3. Generate an SBOM file for an image, and upload it to the OCI registry (maybe using cosign under the hood)

is that all we need @luhring, WDYT?

@luhring
Copy link
Contributor

luhring commented Dec 1, 2021

@developer-guy I think so! If we think of any more considerations, we'll put them here 😃

Thanks for taking this on. 🙏

Reach out at any point if it's not obvious to how use the existing patterns or Syft API for what you're doing and we'll jump in to take a look ❤️

@Dentrax
Copy link

Dentrax commented Dec 7, 2021

My two cents: a similar approach would make sense for Syft following the cosign attach sbom ... process:

syft attach <image>

I think making attach as a separated command would be making logic a bit hard to implement since packagesExec() function in packages.go file requires an image as an input argument. (We expect an SBOM to be generated before pass into cosign/attach command.)

The better UX IMHO would be passing a --attach flag in packages command. By this design, it'd be easier to call cosign/attach (if bool flag passed) just after bus.Publish in packagesExecWorker() func.

By the way, a new attach command could be useful in case we want to pass a pre-generated SBOM file. So we would not be necessary to generate SBOM in the attach command.

cc: @developer-guy

@luhring
Copy link
Contributor

luhring commented Dec 8, 2021

(We expect an SBOM to be generated before pass into cosign/attach command.)

Absolutely. On the implementation side, we can generate an SBOM in multiple execution paths. So we could make sure the attach command has an SBOM created before we invoke cosign's "attach" functionality, which should be all we need to do.

Another reason why attach makes sense as a new command is that it has its own distinct configuration needs, such as "write" access to registries (Syft's other commands don't require this), whether or not to override an existing attachment, etc.

I think the attest and attach functions should probably look the same on the command line, meaning they should either both be subcommands or they should both be flags, or else it might be confusing to users. IMHO, choosing to implement these as subcommands is more inline with the direction Syft is heading (see #516). cc: @wagoodman and @spiffcs for fact-checking me on this! 😄

By the way, a new attach command could be useful in case we want to pass a pre-generated SBOM file. So we would not be necessary to generate SBOM in the attach command.

I'm not sure I understand this part. If an SBOM has already been generated, why would users want to do the "attach" with syft instead of just using cosign attach?

@wagoodman wagoodman changed the title add new OCI output format upload SBOM directory to OCI registry Jan 6, 2022
@wagoodman wagoodman changed the title upload SBOM directory to OCI registry Upload SBOM directly to OCI registry Jan 6, 2022
@sambhav
Copy link
Contributor

sambhav commented Jan 6, 2022

This was discussed in the Anchore community WG meeting today (notes available at https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit ) -

These were the options that were proposed -

  1. We could implement this in syft
  2. We could continue to let cosign handle SBOM/attachment
    • we could explicitly document how the two tools interact in the syft docs (or even in the cosign docs?) so as to let users know that they can work with each other
    • Since cosign accepts sbom via stdin, this would allow syft to directly upload an sbom to the registry via syft packages <image> -o json | cosign attach sbom <image> --sbom - --type syft. This also follows the unix philosophy of one tool doing one thing well, while being able to be chained with other tools

In the WG meeting, people were leaning towards the latter + clear documentation to note that syft is compatible with cosign unless there are some other advantages to natively supporting cosign in syft that we missed.

@dlorenc
Copy link
Contributor

dlorenc commented Jan 6, 2022

The cosign behavior is documented here as a "spec", with the intention of being interoperable!

https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md

Either approach sounds great to me.

@sambhav
Copy link
Contributor

sambhav commented Jan 6, 2022

Added sigstore/cosign#1278 to update the spec as well

@luhring
Copy link
Contributor

luhring commented Feb 2, 2022

Just catching up — if we're going with option 2 from the comment above, does that mean there's no work in Syft code for this any more, and it's just documentation? (of the flow for syft ... | cosign attach sbom ...?)

@sambhav
Copy link
Contributor

sambhav commented Feb 2, 2022

@luhring that's correct :) sigstore/cosign#1137 and sigstore/cosign#1278 handle the syft support and documentation on the cosign side. We just need to do the same at https://github.com/anchore/syft#adding-an-sbom-to-an-image-as-an-attestation to also mention sbom attachments

@luhring
Copy link
Contributor

luhring commented Feb 2, 2022

Perfect, thanks @samj1912!

@spiffcs spiffcs added this to OSS May 31, 2022
@spiffcs spiffcs moved this to Triage (Comments or Progress Made) in OSS May 31, 2022
@developer-guy
Copy link
Contributor Author

Hi folk, as @samj1912 said, syft is now capable of uploading SBOM in form of in-toto attestation format to the registries, also, there is another option like "cosign attach", but AFAIK, there is still no direct support for uploading SBOMs to the OCI registries. Maybe, we could add another output option like "oci" to support this, the UX would be:

# will upload SBOM in a json format by using "application/vnd.syft+json" mediaType
$ syft packages alpine:latest -o json --upload/export oci://devopps/my-sbom-img 

@Dentrax @luhring

@Dentrax
Copy link

Dentrax commented Jun 13, 2022

We could not decide which UX is better @developer-guy:

$ syft packages alpine:latest -o json --upload/export/attach oci://devopps/my-sbom-img
-- or --
$ syft packages alpine:latest --attach

BREAKING CHANGE: Introduce --format flag

If we add oci in the --output as a new type, we lost the format information since we only select one output format. (i.e., json, xml)

That's why we need to introduce a new flag called: --format:

  • formats: syft-json cyclonedx-xml cyclonedx-json spdx-json table text github-json spdx-tag-value
  • outputs: file github oci

Some help needed here! @luhring

@developer-guy
Copy link
Contributor Author

kindly ping

@kzantow
Copy link
Contributor

kzantow commented Nov 13, 2024

From discussion:

  • using oci could mean a number of different things, so we should tread carefully with naming, for example does this mean OCI Reference Types or OCI Attachments?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: No status
Development

No branches or pull requests

7 participants