feat(sbom): add support for scanning a sbom attestation

[otms61]

Description

Support for scanning a sbom attestation.
We can scan a sbom attestation as the following.

$ trivy image --format cyclonedx --output sbom.cdx.json otms61/vuln-python
$ cosign attest --key cosign.key --type cyclonedx --predicate sbom.cdx.json  otms61/vuln-python --no-upload > attest.sbom.cdx.json
$ trivy sbom attest.sbom.cdx.json

Related issues

• Close Scan SBOM attestation #2614

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

It causes panic if the type assertion fails. Can we make sure the assertion works beforehand?

Suggested change

	if _, found := st.Predicate.(map[string]interface{})["Data"]; found {
	if cosignPredicate, ok := st.Predicate.(map[string]interface{}); ok {
	data, found := cosignPredicate["Data"]
	if !found {
	return Statement{}, xerrors.Errorf("unsupported predicate format")
	}
	st.CosignPredicateData = data

Also, we can define our own struct only with needed fields so that we will not have to go back and forth for marshaling/unmarshaling. We can pass json.RawMessage to the SBOM unmarshaler.

trivy/pkg/sbom/attestation/attestation.go

Lines 28 to 31 in 87b2d21

	predicateByte, err = json.Marshal(attest.CosignPredicateData)
	if err != nil {
	return sbom.SBOM{}, xerrors.Errorf("failed to marshal predicate: %w", err)
	}

// StatementHeader defines the common fields for all statements
type StatementHeader struct {
	PredicateType string    `json:"predicateType"`
}

// CosignPredicate specifies the format of the Custom Predicate.
type CosignPredicate struct {
	Data      json.RawMessage
}

/*
Statement binds the attestation to a particular subject and identifies the
of the predicate. This struct represents a generic statement.
*/
type Statement struct {
	StatementHeader
	// Predicate contains type speficic metadata.
	Predicate CosignPredicate `json:"predicate"`
}

[otms61]

Great idea! It will simplify the code!

[knqyf263]

Could you wrap the error by xerrors if it is returned? It adds stack trace and helps us debug.

[otms61]

Done

[knqyf263]

We may want to add an integration test here.

trivy/integration/sbom_test.go

Line 15 in 5b7e0a8

func TestCycloneDX(t *testing.T) {

[otms61]

I have added an integration test.

[knqyf263]

We probably should put a note about cosign version as cyclonedx was added in v1.10.0.

[otms61]

I've added a description about cosign version.

[knqyf263]

Suggested change

	sbom.cdx.intoto.jsonl (alpine 3.7.3)
	Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
	sbom.cdx.intoto.jsonl (alpine 3.7.3)
	====================================
	Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

[otms61]

Done

[knqyf263]

Suggested change

	func TestDecode(t *testing.T) {
	func TestStatement_UnmarshalJSON(t *testing.T) {

[otms61]

Done

[ChristianCiach]

Heads up: This will probably break with the next Cosign version because this has been merged:

• Fix: Drop the CosignPredicate wrapper around SBOM attestations. sigstore/cosign#2718

Especially see the comment sigstore/cosign#2718 (comment)

I still think it is the wrong approach for Trivy to directly support in-toto attestations for the reasons I've specified here: sigstore/cosign#2307 (comment)

[knqyf263]

Thanks for the heads-up. Yeah, we're aware of that. Cosign adds many breaking changes, which is hard for us to follow...