Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attach SBOMs to images in the container registry #5515

Open
lbussell opened this issue May 29, 2024 · 3 comments
Open

Attach SBOMs to images in the container registry #5515

lbussell opened this issue May 29, 2024 · 3 comments

Comments

@lbussell
Copy link
Contributor

We can use the ORAS tool to directly attach SBOMs to our images in our container registry. This makes the content of our images more discoverable and opens up the possibility for automation based on the SBOM (for example, rebuilds when we have CVEs or package updates). This can decouple the "scanning" of the image from the actions based on that scan.

SBOMs are an attestation/supply chain artifact and can also be signed:

image

Example

SBOM Discovery

$ oras discover -o tree $IMAGE

myregistry.azurecr.io/net-monitor:v1
├── sbom/example
│   └── sha256:4f1843833c029ecf0524bc214a0df9a5787409fd27bed2160d83f8cc39fedef5
│       └── signature/example
│           └── sha256:3c43b8cb0c941ec165c9f33f197d7f75980a292400d340f1a51c6b325764aa93
├── readme/example
│   └── sha256:5fafd40589e2c980e2864a78818bff51ee641119cf96ebb0d5be83f42aa215af
└── signature/example
    └── sha256:00da2c1c3ceea087b16e70c3f4e80dbce6f5b7625d6c8308ad095f7d3f6107b5

Additional Context

Related:

@mthalman
Copy link
Member

Also related: dotnet/docker-tools#1151

@lbussell
Copy link
Contributor Author

[Triage] There are several questions we'd like to get more clarity on:

  1. How would users consume this SBOM using the ORAS tool or otherwise?
  2. What's our policy on what version of the SBOM spec we apply to a given image?
  3. How do we treat attaching SBOMs to .NET major versions? Would adding SBOMs to an already released .NET version be a breaking change? Removing them certainly would. We want to make sure that ORAS and these OCI artifacts are stable before committing to this for release.
  4. We should be clear about the driving scenarios for implementing this. If we implement this only in order to adopt our other automation, then we shouldn't fund this work if the other work isn't funded.

@lbussell
Copy link
Contributor Author

lbussell commented Jun 6, 2024

[Triage] Before diving into the mechanics of how and when and to what versions to attach SBOMs for, we should research what SBOM generator tools generate for our images. For example, what does .NET's SBOM look like? Is it presentable, or even useful? That should be a prerequisite to attaching SBOMs to our images.

@lbussell lbussell removed the untriaged label Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

No branches or pull requests

2 participants