-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(sbom): add support for scanning a sbom attestation #2652
Conversation
pkg/attestation/attestation.go
Outdated
|
||
// When cosign creates an SBOM attestation, it stores the predicate under a "Data" key. | ||
// https://github.com/sigstore/cosign/blob/938ad43f84aa183850014c8cc6d999f4b7ec5e8d/pkg/cosign/attestation/attestation.go#L39-L43 | ||
if _, found := st.Predicate.(map[string]interface{})["Data"]; found { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It causes panic if the type assertion fails. Can we make sure the assertion works beforehand?
if _, found := st.Predicate.(map[string]interface{})["Data"]; found { | |
if cosignPredicate, ok := st.Predicate.(map[string]interface{}); ok { | |
data, found := cosignPredicate["Data"] | |
if !found { | |
return Statement{}, xerrors.Errorf("unsupported predicate format") | |
} | |
st.CosignPredicateData = data |
Also, we can define our own struct only with needed fields so that we will not have to go back and forth for marshaling/unmarshaling. We can pass json.RawMessage
to the SBOM unmarshaler.
trivy/pkg/sbom/attestation/attestation.go
Lines 28 to 31 in 87b2d21
predicateByte, err = json.Marshal(attest.CosignPredicateData) | |
if err != nil { | |
return sbom.SBOM{}, xerrors.Errorf("failed to marshal predicate: %w", err) | |
} |
// StatementHeader defines the common fields for all statements
type StatementHeader struct {
PredicateType string `json:"predicateType"`
}
// CosignPredicate specifies the format of the Custom Predicate.
type CosignPredicate struct {
Data json.RawMessage
}
/*
Statement binds the attestation to a particular subject and identifies the
of the predicate. This struct represents a generic statement.
*/
type Statement struct {
StatementHeader
// Predicate contains type speficic metadata.
Predicate CosignPredicate `json:"predicate"`
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great idea! It will simplify the code!
pkg/sbom/attestation/attestation.go
Outdated
return sbom.SBOM{}, xerrors.Errorf("failed to decode attestation: %w", err) | ||
} | ||
|
||
return u.predicateUnmarshaler.Unmarshal(bytes.NewReader(attest.Predicate.Data)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you wrap the error by xerrors
if it is returned? It adds stack trace and helps us debug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
We may want to add an integration test here. trivy/integration/sbom_test.go Line 15 in 5b7e0a8
|
I have added an integration test. |
@@ -32,7 +32,7 @@ $ cosign attest --key /path/to/cosign.key --type spdx --predicate sbom.spdx.json | |||
|
|||
# cyclonedx | |||
$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE> | |||
$ cosign attest --key /path/to/cosign.key --type https://cyclonedx.org/schema --predicate sbom.cdx.json <IMAGE> | |||
$ cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We probably should put a note about cosign version as cyclonedx
was added in v1.10.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a description about cosign version.
docs/docs/sbom/index.md
Outdated
sbom.cdx.intoto.jsonl (alpine 3.7.3) | ||
|
||
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sbom.cdx.intoto.jsonl (alpine 3.7.3) | |
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) | |
sbom.cdx.intoto.jsonl (alpine 3.7.3) | |
==================================== | |
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/attestation/attestation_test.go
Outdated
"github.com/aquasecurity/trivy/pkg/attestation" | ||
) | ||
|
||
func TestDecode(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func TestDecode(t *testing.T) { | |
func TestStatement_UnmarshalJSON(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Heads up: This will probably break with the next Cosign version because this has been merged: Especially see the comment sigstore/cosign#2718 (comment) I still think it is the wrong approach for Trivy to directly support in-toto attestations for the reasons I've specified here: sigstore/cosign#2307 (comment) |
Thanks for the heads-up. Yeah, we're aware of that. Cosign adds many breaking changes, which is hard for us to follow... |
Description
Support for scanning a sbom attestation.
We can scan a sbom attestation as the following.
$ trivy image --format cyclonedx --output sbom.cdx.json otms61/vuln-python $ cosign attest --key cosign.key --type cyclonedx --predicate sbom.cdx.json otms61/vuln-python --no-upload > attest.sbom.cdx.json $ trivy sbom attest.sbom.cdx.json
Related issues
Checklist