Create and Attach the generated SBOM to the Image #229
Comments
|
I want to work on this issue, and I was referring the file where we are signing the images, but there seems to be some error on my side, or there is some wip in that file |
|
Can you be more specific? What problem do you have and what did you already tried to do to solve it, and what outcome did it had? |
|
Actually i was getting to know which part of already existing code is related to this issue and what modifications i have to make |
|
@Vad1mo any solution for this? |
|
I had figured this out now I am onto this issue i just want to ask one thing you provided the guide for |
it doesn't matter, trivy was the first thing that came into my mind. Syft is fine too. Before your start working, can you outline in steps here what and how you are planing to execute it, so we all have the same understanding. |
|
According to the documentation of trivy, first, we need to generate the SBOM file in the desired format. To do that I will make a container using dagger and make that JSON file and export it from that container to local using the below command : Then, once we have got the SBOM file in the desired format, we need to replace this command in the below file with I believe the required changes will only need to be made in this file in this particular function So, for now, I will first be fixing the format of the SBOM file. Later, we can add functionality to allow users to choose the SBOM format dynamically, as Trivy supports multiple formats. A list of these formats can be found here. |
|
ok, its not the right thing, we are doing the same for the container already, you could just use that file. I was more looking into creating the sbom based on the golang mod file. IMO this should be more accurate. I am also not sure if you can create an sbom just from the binary. Maybe you can compare the output of both options |
|
hi sorry for late reply as my uni had resumed so i didn't get to work further on this.
Can you please attach the link of that file as i can't find where it is ? I will understand further what you are saying in detail and put my thoughts here. |
|
Ohkk I found the function this is what you are talking about i think |
|
So i checked and we can create the SBOM file from go.mod file using below command So now suppose we have 2 SBOM files 1 is generated from the container image and the other from the |
|
@Vad1mo can you give any lead on this please? |
|
I would prefer using GoReleaser for generating sboms. https://goreleaser.com/blog/supply-chain-security/?h=sbom Hope it helps |
|
I read that creating the SBOM file from binary is more accurate than making the SBOM from the Go mod file. |
Currently, we are signing the images with cosign, we should also attach the generated SBOMs (from goreleasers or otherwise) to the image
here is a guide:
https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/attestation/sbom/
The text was updated successfully, but these errors were encountered: