Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SPDX SBOMs in JSON form #660

Closed
imjasonh opened this issue Mar 20, 2022 · 6 comments
Closed

Generate SPDX SBOMs in JSON form #660

imjasonh opened this issue Mar 20, 2022 · 6 comments
Labels
lifecycle/frozen sbom Related to generation of SBOMs

Comments

@imjasonh
Copy link
Member

Instead of the text form we use today. JSON is just better.
@imjasonh imjasonh added the sbom Related to generation of SBOMs label Mar 28, 2022
@imjasonh imjasonh mentioned this issue Mar 28, 2022
Closed
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

@imjasonh
Copy link
Member Author

I'd still like to do this.

@adambkaplan
Copy link

I found this recently - quay.io doesn't always support spdx+json media types - it fails if ko pushes to a sub-repository (example: quay.io/adambkaplan/hello-world/cmd-md5hash). Quay does support text/spdx+json.

Error: error processing import paths in "-": error resolving image references: writing sbom: PUT https://quay.io/v2/adambkaplan/tekton-results/watcher-83f971ea227fb24157c0c699b824a628/manifests/sha256-0a97f730361efd5ea6ef17f0365af63e25d2a2be55080c91998fce0f4303ecc4.sbom: MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'spdx+json' is not one of ['application/vnd.oci.image.layer.v1.tar', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+zstd', 'application/vnd.oci.image.layer.nondistributable.v1.tar', 'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip', 'application/vnd.dev.cosign.simplesigning.v1+json', 'application/vnd.dsse.envelope.v1+json', 'text/spdx', 'text/spdx+xml', 'text/spdx+json', 'application/vnd.syft+json', 'application/vnd.cyclonedx', 'application/vnd.cyclonedx+xml', 'application/vnd.cyclonedx+json', 'application/vnd.in-toto+json', 'application/tar+gzip', 'application/vnd.cncf.helm.chart.content.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego', 'application/vnd.cncf.openpolicyagent.data.layer.v1+json']

Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
    {'description': 'The MIME type of the referenced manifest',
     'enum': ['application/vnd.oci.image.layer.v1.tar',
              'application/vnd.oci.image.layer.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+zstd',
              'application/vnd.oci.image.layer.nondistributable.v1.tar',
              'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip',
              'application/vnd.dev.cosign.simplesigning.v1+json',
              'application/vnd.dsse.envelope.v1+json',
              'text/spdx',
              'text/spdx+xml',
              'text/spdx+json',
              'application/vnd.syft+json',
              'application/vnd.cyclonedx',
              'application/vnd.cyclonedx+xml',
              'application/vnd.cyclonedx+json',
              'application/vnd.in-toto+json',
              'application/tar+gzip',
              'application/vnd.cncf.helm.chart.content.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+gzip',
              'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego',
              'application/vnd.cncf.openpolicyagent.data.layer.v1+json'],
     'type': 'string'}

On instance['layers'][0]['mediaType']:
    'spdx+json']
2023/02/01 16:06:07 error during command execution:error processing import paths in "-": error resolving image references: writing sbom: PUT https://quay.io/v2/adambkaplan/tekton-results/watcher-83f971ea227fb24157c0c699b824a628/manifests/sha256-0a97f730361efd5ea6ef17f0365af63e25d2a2be55080c91998fce0f4303ecc4.sbom: MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'spdx+json' is not one of ['application/vnd.oci.image.layer.v1.tar', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+zstd', 'application/vnd.oci.image.layer.nondistributable.v1.tar', 'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip', 'application/vnd.dev.cosign.simplesigning.v1+json', 'application/vnd.dsse.envelope.v1+json', 'text/spdx', 'text/spdx+xml', 'text/spdx+json', 'application/vnd.syft+json', 'application/vnd.cyclonedx', 'application/vnd.cyclonedx+xml', 'application/vnd.cyclonedx+json', 'application/vnd.in-toto+json', 'application/tar+gzip', 'application/vnd.cncf.helm.chart.content.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego', 'application/vnd.cncf.openpolicyagent.data.layer.v1+json']

Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
    {'description': 'The MIME type of the referenced manifest',
     'enum': ['application/vnd.oci.image.layer.v1.tar',
              'application/vnd.oci.image.layer.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+zstd',
              'application/vnd.oci.image.layer.nondistributable.v1.tar',
              'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip',
              'application/vnd.dev.cosign.simplesigning.v1+json',
              'application/vnd.dsse.envelope.v1+json',
              'text/spdx',
              'text/spdx+xml',
              'text/spdx+json',
              'application/vnd.syft+json',
              'application/vnd.cyclonedx',
              'application/vnd.cyclonedx+xml',
              'application/vnd.cyclonedx+json',
              'application/vnd.in-toto+json',
              'application/tar+gzip',
              'application/vnd.cncf.helm.chart.content.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+gzip',
              'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego',
              'application/vnd.cncf.openpolicyagent.data.layer.v1+json'],
     'type': 'string'}

On instance['layers'][0]['mediaType']:
    'spdx+json']

cc @dmesser

@adambkaplan adambkaplan mentioned this issue Feb 1, 2023
Merged
@dmesser
Copy link

dmesser commented Feb 2, 2023

@adambkaplan easy to add though. We are also planning to drop the mediaType filtering in accordance with OCI.

@dmesser
Copy link

dmesser commented Feb 2, 2023

FWIW, Quay is tracking that here: https://issues.redhat.com/browse/PROJQUAY-5029

@imjasonh
Copy link
Member Author

imjasonh commented Feb 2, 2023

This issue is closed actually, since we're generating SPDX SBOMs in JSON (or "SPDXSBOMiJSON" for short 🙃 )

The issue that SBOMs are pushed with spdx+json was fixed in cosign and picked up by ko in #933, but it's not released yet.

@imjasonh imjasonh closed this as completed Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen sbom Related to generation of SBOMs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@imjasonh @adambkaplan @dmesser