Produce SBOM during zarf package creation about zarf HOT 18 CLOSED

Apologies for the delay on this -- got the SBOM creation code cleaned up and a PR up. Working on functionality to display the SBOMs to users now.

from zarf.

Just a heads up since I can't assign myself here: I'm currently working this issue

from zarf.

https://github.com/spdx/tools-golang

Leaving this here for further reference as a potentially useful lib

from zarf.

Thanks @mikhailswift I’ve been eyeing that too as @runyontr suggested it might be good to have spdx be a consumer target at some point for package creation. Thanks!

from zarf.

Still a WIP, but wanted to give a quick update. Currently have SBOM generation working for images during package creation. I left some more details in the commit message

testifysec@be62817

Edit: And attaching an example of one of the SBOMs generated for the tiny-kafka example: https://gist.github.com/mikhailswift/3dd402abc5afecba27cb3cf7f92d1d52

Its uhh... pretty long lol

from zarf.

Thanks @mikhailswift this is very exciting! I had played with syft a little last month because I really like the feedback they provide on image pull, have you stumbled across that code at all yet in your exploration? #3 has been sitting out for a while needing some love and I had planned to checkout how syft was going it later on.

from zarf.

I ran into a bit of their progress updating, yes. They’re using go-partybus (heh, familiar name) as an event bus to provide progress updates to any subscribers. Both syft and stethoscope allow you to pass in your own instance of go-partybus to subscribe to their events.

I tapped into this a bit to get updates during the cataloging process and to make sure syft was reading the image layers from the tar ball and not reaching out to the registry and pulling layers again.

We should be able to use similar tactics to provide better feedback during zarfs processes. I can take a look at it tomorrow.

It also feels a bit bad to be pulling images, tarring them up, only to subsequently iterate over the tar a second time. I played a little bit with trying to catalog image as we pulled them before tarring them but would have to revisit that.

from zarf.

yeah agreed double tar is a little gross. I'm not beholden to tar vs say OCI for transporting either, just was a simple/clean way initially with K3s. I may explore that later on too, look forward to what you find out around image pulling.

from zarf.

@jeff-mccoy just wanted to confirm that this issue can be closed based on this commit?

29ec64c

Never mind, this was an old commit when the repo was on GitLab and references the GitLab issue 22,. This got re-pinged when we did the master push and I thought it was coming with the resent PR merge. Disregard.

from zarf.

Met with @mikhailswift on Monday to talk through this and he's actively working this again, going to touch base in a couple weeks, but he'll update the issue as it's being worked.

from zarf.

any update on this work @mikhailswift

from zarf.

Sorry just catching up on notifications this morning

So far it's going well. I'll have get the code cleaned up and will the commits here to show what I'm doing.

Currently working on making sure SBOMs are being generated for images at the most opportune time in Zarf's code.

from zarf.

Copy thanks!

from zarf.

@jeff-mccoy https://github.com/tern-tools/tern

I also highly recommend https://github.com/awesomeSBOM/awesome-sbom

from zarf.

Thanks @anoncam, python is a deal-breaker as we need statically-linked cross-compiled binaries only, will keep tabs on the second link.

from zarf.

We're currently working SBOM generation directly in witness w/o Zarf to remove the massive dependencies that syft brings

from zarf.

We'll need more details on that too. Syft has several teams adopting it and I want to make sure that we know what we are brining in and when we are choosing more commons tools vs not.

from zarf.

@jeff-mccoy I think another item needs to be captured, which is standardizing across the industry to better support interoperability with various components. SLSA seems like a good starting point to dive a little more meaningfully into this process

from zarf.