Comments (18)
Apologies for the delay on this -- got the SBOM creation code cleaned up and a PR up. Working on functionality to display the SBOMs to users now.
from zarf.
Just a heads up since I can't assign myself here: I'm currently working this issue
from zarf.
https://github.com/spdx/tools-golang
Leaving this here for further reference as a potentially useful lib
from zarf.
Thanks @mikhailswift I’ve been eyeing that too as @runyontr suggested it might be good to have spdx be a consumer target at some point for package creation. Thanks!
from zarf.
Still a WIP, but wanted to give a quick update. Currently have SBOM generation working for images during package creation. I left some more details in the commit message
Edit: And attaching an example of one of the SBOMs generated for the tiny-kafka example: https://gist.github.com/mikhailswift/3dd402abc5afecba27cb3cf7f92d1d52
Its uhh... pretty long lol
from zarf.
Thanks @mikhailswift this is very exciting! I had played with syft a little last month because I really like the feedback they provide on image pull, have you stumbled across that code at all yet in your exploration? #3 has been sitting out for a while needing some love and I had planned to checkout how syft was going it later on.
from zarf.
I ran into a bit of their progress updating, yes. They’re using go-partybus (heh, familiar name) as an event bus to provide progress updates to any subscribers. Both syft and stethoscope allow you to pass in your own instance of go-partybus to subscribe to their events.
I tapped into this a bit to get updates during the cataloging process and to make sure syft was reading the image layers from the tar ball and not reaching out to the registry and pulling layers again.
We should be able to use similar tactics to provide better feedback during zarfs processes. I can take a look at it tomorrow.
It also feels a bit bad to be pulling images, tarring them up, only to subsequently iterate over the tar a second time. I played a little bit with trying to catalog image as we pulled them before tarring them but would have to revisit that.
from zarf.
yeah agreed double tar is a little gross. I'm not beholden to tar vs say OCI for transporting either, just was a simple/clean way initially with K3s. I may explore that later on too, look forward to what you find out around image pulling.
from zarf.
@jeff-mccoy just wanted to confirm that this issue can be closed based on this commit?
Never mind, this was an old commit when the repo was on GitLab and references the GitLab issue 22,. This got re-pinged when we did the master push and I thought it was coming with the resent PR merge. Disregard.
from zarf.
Met with @mikhailswift on Monday to talk through this and he's actively working this again, going to touch base in a couple weeks, but he'll update the issue as it's being worked.
from zarf.
any update on this work @mikhailswift
from zarf.
Sorry just catching up on notifications this morning
So far it's going well. I'll have get the code cleaned up and will the commits here to show what I'm doing.
Currently working on making sure SBOMs are being generated for images at the most opportune time in Zarf's code.
from zarf.
Copy thanks!
from zarf.
@jeff-mccoy https://github.com/tern-tools/tern
I also highly recommend https://github.com/awesomeSBOM/awesome-sbom
from zarf.
Thanks @anoncam, python is a deal-breaker as we need statically-linked cross-compiled binaries only, will keep tabs on the second link.
from zarf.
We're currently working SBOM generation directly in witness w/o Zarf to remove the massive dependencies that syft brings
from zarf.
We'll need more details on that too. Syft has several teams adopting it and I want to make sure that we know what we are brining in and when we are choosing more commons tools vs not.
from zarf.
@jeff-mccoy I think another item needs to be captured, which is standardizing across the industry to better support interoperability with various components. SLSA seems like a good starting point to dive a little more meaningfully into this process
from zarf.
Related Issues (20)
- Ability to control deploy-to namespace using a Zarf Variable
- Zarf fails when pulling from Nvidia's container registry HOT 6
- Bug: Zarf fails to init successfully if there's a pod that's currently stuck in terminating state and the node on that terminating pod doesn't exist anymore HOT 1
- wait-for waits the full timeout with nonexistent or nonvalid kubeconfig
- Remove bigbang "private" key from git history HOT 1
- Refactor and document `dataInjections`
- test: add a benchmark test for image pulls HOT 2
- Image Index Sha
- docs: update style guide
- Zarf "contributor guide" sends to a 404 page.
- When publishing a package from a tarball the resulting oci image is tagged incorrectly HOT 1
- refactor: evaluate using safe Golang libraries HOT 1
- add OWNERS.md
- Zarf's cleanup-on-failure logic can cause unintended deletion of applications during failed upgrades
- Override agent registry path HOT 4
- Zarf does not remove the zarf mutatingwebhookconfigurations when destroying HOT 1
- Importing BigBang component does not allow overriding of BigBang version
- Ability to Specify templateRegex in ReplaceTextTemplate HOT 1
- Incorrect custom git credentials results in persistent account lockout HOT 1
- Lost access to setVariableMap
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zarf.