Add new command: pack sbom download

[aemengo]

Summary

Add command to download image SBOM to specified directory

pack download-sbom aemengo/hello [--local] [--remote] [--output-dir /tmp/some-directory]

Documentation

• Should this change be documented?
  • Yes, see: Introduce download-sbom docs docs#457
  • No

Related

#1335

[dfreilich]

Great direction!

[codecov]

Codecov Report

Merging #1351 (7db1ac5) into main (9402d07) will decrease coverage by 0.06%.
The diff coverage is 72.89%.

@@            Coverage Diff             @@
##             main    #1351      +/-   ##
==========================================
- Coverage   81.47%   81.42%   -0.05%     
==========================================
  Files         148      151       +3     
  Lines        9598     9657      +59     
==========================================
+ Hits         7819     7862      +43     
- Misses       1313     1327      +14     
- Partials      466      468       +2     

Flag	Coverage Δ
os_linux	80.12% <72.89%> (-0.04%)	⬇️
os_macos	77.55% <72.89%> (-<0.01%)	⬇️
os_windows	81.29% <72.89%> (-0.05%)	⬇️
unit	81.42% <72.89%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[jromero]

Does this sbom downloading only work for "app" images? Not run images?

[aemengo]

Once again, are you referring to buildpacks/rfcs#186? As of today, this RFC hasn't been approved and it might be a pre-optimization to implement in light of this.

[samj1912]

@aemengo @dfreilich any updates on this?

[dfreilich]

Spectacular! Just a few nits I'd like to see changed, but overall this really worked like a charm!

UA

> ./out/pack sbom
Interact with SBoM

Usage:
  pack sbom [command]

Available Commands:
  download    Download SBoM from specified image

Flags:
  -h, --help   Help for 'sbom'

Global Flags:
      --no-color     Disable color output
  -q, --quiet        Show less output
      --timestamps   Enable timestamps in output
  -v, --verbose      Show more output

Use "pack sbom [command] --help" for more information about a command.
> ./out/pack sbom download
Error: accepts 1 arg(s), received 0
Usage:
  pack sbom download <image-name> [flags]

Examples:
pack sbom download buildpacksio/pack

Flags:
  -h, --help                Help for 'download'
      --local               Pull SBoM from local daemon (Default)
      --output-dir string   Path to export SBoM contents.
                            It defaults export to the current working directory. (default ".")
      --remote              Pull SBoM from remote registry

Global Flags:
      --no-color     Disable color output
  -q, --quiet        Show less output
      --timestamps   Enable timestamps in output
  -v, --verbose      Show more output

sbom download on image without an SbOM

> ./out/pack sbom download buildpacksio/pack --remote --output-dir /tmp/pack-sbom
ERROR: could not find SBoM information on 'buildpacksio/pack'
> docker images | grep buildpacksio/pack

sbom download on image with it, from remote registry

> ./out/pack sbom download aemengo/hello --remote --output-dir /tmp/sbom-hello
> tree /tmp/sbom-hello
/tmp/sbom-hello
└── layers
    └── sbom
        └── launch
            └── paketo-buildpacks_ca-certificates
                └── helper
                    └── sbom.syft.json

5 directories, 1 file

> cat /tmp/sbom-hello/layers/sbom/launch/paketo-buildpacks_ca-certificates/helper/sbom.syft.json
{"Artifacts":[{"ID":"b4a6352954da741c","Name":"helper","Version":"3.0.1","Type":"UnknownPackage","FoundBy":"libpak","Locations":[{"Path":"ca-certificates-helper"}],"Licenses":["Apache-2.0"],"Language":"","CPEs":["cpe:2.3:a:paketo-buildpacks/ca-certificates:ca-certificates-helper:3.0.1:*:*:*:*:*:*:*"],"PURL":"pkg:generic/paketo-buildpacks/ca-certificates@3.0.1"}],"Source":{"Type":"directory","Target":"/layers/paketo-buildpacks_ca-certificates/helper"},"Descriptor":{"Name":"syft","Version":"0.30.1"},"Schema":{"Version":"1.1.0","URL":"https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-1.1.0.json"}}%

sbom download from local image

> ./out/pack sbom download test --output-dir /tmp/pack-sbom
> tree /tmp/pack-sbom
/tmp/pack-sbom
└── layers
    └── sbom
        └── launch
            └── paketo-buildpacks_ca-certificates
                └── helper
                    └── sbom.syft.json

[samj1912]

small nitpick - should we rename the command to pack fetch-sbom instead? download seems a bit weird for local images.

[aemengo]

small nitpick - should we rename the command to pack fetch-sbom instead? download seems a bit weird for local images.

I have no strong feelings. @dfreilich Can you confirm that this is what you'd prefer?

[dfreilich]

I actually think download is more akin to what it actually does. I would expect fetch to fetch and display out, while download preserves the files on the local FS. No major skin in the game though, and given that @samj1912 has been a key player in the SBoM situation thus far, I'm happy going with his sugestion

[samj1912]

Was just a nit pick, don't mind either way. At this point I am just eagerly waiting for this release! Thanks for working on this @aemengo!