Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add sbom to release assests #5110

Merged
merged 1 commit into from
Jul 1, 2024
Merged

Conversation

zhzhuang-zju
Copy link
Contributor

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
SBOM: A Software Bill of Materials, is an inventory of all of the components that exist within a software resource, such as third-party libraries or modules. SBOMs can identify components that developers integrated directly into an application by importing them into its source code, as well as dependencies (which aren’t a direct part of an application but that are installed or run when the application is deployed).
SPDX: An open standard capable of representing systems with software components in as SBOMs and other AI, data and security references supporting a range of risk management use cases.

I'd like to add sbom to karmada's release assests. It would enhance transparency around the open-source components and dependencies, bolster the security posture of our project, promote responsible software management, and support efficient collaboration and automation in the development lifecycle.

Which issue(s) this PR fixes:
Parts of #5048

Special notes for your reviewer:
The generated sbom content can be referred to https://github.com/zhzhuang-zju/karmada/actions/runs/9722271169/job/26835956739, difficult for humans to read.
We can use some tools to analyze it.

  • bom document outline
    Using bom document outline SBOM contents can be rendered too see how the information they contain is structured.
(base) ➜  karmada git:(xxx) ✗ bom document outline sbom-karmada.spdx 
               _      
 ___ _ __   __| |_  __
/ __| '_ \ / _` \ \/ /
\__ \ |_) | (_| |>  < 
|___/ .__/ \__,_/_/\_\
    |_|               

 📂 SPDX Document /github/workspace

  │ 📦 DESCRIBES 1 Packages

  ├ /github/workspace
  │  │ 🔗 2 Relationships
  │  ├ CONTAINS PACKAGE go.mod
  │  │  │ 🔗 1 Relationships
  │  │  └ CONTAINS PACKAGE github.com/karmada-io/karmada
  │  │  │  │ 🔗 186 Relationships
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/go-task/slim-sprig@0.0.0-20230315185526-52ccab3ef572
  │  │  │  ├ DEPENDS_ON PACKAGE sigs.k8s.io/structured-merge-diff/v4@4.4.1
  │  │  │  ├ DEPENDS_ON PACKAGE k8s.io/apimachinery@0.29.4
  │  │  │  ├ DEPENDS_ON PACKAGE k8s.io/kube-openapi@0.0.0-20231010175941-2dd684a91f00

......

  │  │  │  ├ DEPENDS_ON PACKAGE go.etcd.io/etcd/client/v3@3.5.13
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/kr/text@0.2.0
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/sagikazarmark/locafero@0.4.0
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/russross/blackfriday/v2@2.1.0
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/tidwall/match@1.1.1
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/google/cel-go@0.17.7
  │  │  │  ├ DEPENDS_ON PACKAGE github.com/stoewer/go-strcase@1.3.0
  │  │  │  └ DEPENDS_ON PACKAGE github.com/vektra/mockery/v2@2.10.0
  │  │  │ 
  │  │ 
  │  └ CONTAINS PACKAGE vendor/go.opentelemetry.io/otel/requirements.txt
  │  │  │ 🔗 1 Relationships
  │  │  └ CONTAINS PACKAGE codespell@2.2.6
  │  │ 

  └ 📄 DESCRIBES 0 Files
  • trivy sbom
    Scan SBOM for vulnerabilities
(base) ➜  karmada git:(xxx) ✗ trivy sbom sbom-karmada.spdx
2024-06-29T16:40:05+08:00       INFO    Vulnerability scanning is enabled
2024-06-29T16:40:05+08:00       INFO    Detected SBOM format    format="spdx-tv"
2024-06-29T16:40:05+08:00       INFO    Number of language-specific files       num=3
2024-06-29T16:40:05+08:00       INFO    [gobinary] Detecting vulnerabilities...
2024-06-29T16:40:05+08:00       INFO    [gomod] Detecting vulnerabilities...
2024-06-29T16:40:05+08:00       INFO    [pip] Detecting vulnerabilities...

 (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                        Title                         │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM   │ affected │ 2.6.0             │               │ jose-go: improper handling of highly compressed data │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-28180           │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘

Does this PR introduce a user-facing change?:


Signed-off-by: zhzhuang-zju <m17799853869@163.com>
@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Jun 29, 2024
@karmada-bot karmada-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 29, 2024
@codecov-commenter
Copy link

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 28.21%. Comparing base (2271a41) to head (66fe40b).
Report is 2 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #5110   +/-   ##
=======================================
  Coverage   28.21%   28.21%           
=======================================
  Files         632      632           
  Lines       43556    43556           
=======================================
  Hits        12291    12291           
  Misses      30368    30368           
  Partials      897      897           
Flag Coverage Δ
unittests 28.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2024
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2024
@karmada-bot karmada-bot merged commit 9928020 into karmada-io:master Jul 1, 2024
12 checks passed
@RainbowMango
Copy link
Member

RainbowMango commented Jul 1, 2024

Hi @zhzhuang-zju we might need to backport this to release-1.10, so that the latest release could have the sbom.

@zhzhuang-zju
Copy link
Contributor Author

Hi @zhzhuang-zju we might need to backport this to release-1.10, so that the latest release could have the sbom.

/assign

karmada-bot added a commit that referenced this pull request Jul 2, 2024
…5110-upstream-release-1.10

Automated cherry pick of #5110: add sbom to release assests
@RainbowMango RainbowMango added this to the v1.11 milestone Aug 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants