Skip to content

Add SBOM command #1115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
willdollman merged 18 commits into from
Oct 14, 2024
Merged

Add SBOM command #1115

willdollman merged 18 commits into from
Oct 14, 2024

Conversation

@willdollman
Copy link
Contributor

@willdollman willdollman commented Oct 8, 2024
edited
Loading

Add new src sbom command to allow customers to fetch and verify SBOMs.

This command will fetch SBOMs from our container registry, and validate them against a published public key.

To test this out locally:

$ go run ./cmd/src sbom fetch -v 5.8.287 --internal --insecure-ignore-tlog

Fetching SBOMs and validating signatures for all 55 images in the Sourcegraph 5.8.287 release...

⚠️ WARNING: Transparency log verification is disabled, increasing the risk that SBOMs may have been tampered with.
This setting should only be used for testing or under explicit instruction from Sourcegraph.

✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/appliance
✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/batcheshelper
✅ us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal/bundled-executor
[...]

This will be followed by customer-facing docs around using this command.

Test plan

  • Relying on CI
  • Manual testing. This command is very reliant on external services, so building full testing seems disproportionate to the complexity.

@willdollman willdollman self-assigned this Oct 8, 2024
@willdollman willdollman mentioned this pull request Oct 10, 2024
Merged
@willdollman willdollman marked this pull request as ready for review October 10, 2024 16:33
@willdollman willdollman requested a review from a team October 10, 2024 16:33
camdencheek
camdencheek approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@camdencheek camdencheek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Left a fairly cursory review, let me know if you were looking for anything more in depth.

cmd/src/sbom_utils.go

var spinnerChars = []rune{'⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'}

func spinner(name string, stop chan bool) {
Copy link
Member

@camdencheek camdencheek Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice touch!

@willdollman willdollman merged commit ffe0913 into main Oct 14, 2024
@willdollman willdollman deleted the will/sbom branch October 14, 2024 09:01
@willdollman willdollman mentioned this pull request Oct 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camdencheek camdencheek camdencheek approved these changes

Assignees

@willdollman willdollman

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@willdollman @camdencheek