Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add purls to SPDX sbom #677

Merged
merged 2 commits into from
Mar 30, 2022
Merged

Add purls to SPDX sbom #677

merged 2 commits into from
Mar 30, 2022

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Mar 30, 2022

This PR modifies the SPDX sbom output to include purls that add context for external tools to better infer the types of packages described in the document.

Note:
As each sbom is describing the dependencies of the image it is attached to, the purl type is set to :oci.
This introduces a divergence with the way the CycloneDX sbom expresses its components as the top component is a reference to golang source and not to the image. I think we should change this to express the sboms describe the images, not a go package.

/cc @imjasonh @mattmoor

puerco added 2 commits March 29, 2022 17:30
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit modifies the top level purl in the SPDX sbom to
use an oci purl, indicating it describes an image.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@codecov-commenter
Copy link

Codecov Report

Merging #677 (5c3c9e6) into main (895cff9) will decrease coverage by 0.09%.
The diff coverage is 20.00%.

@@            Coverage Diff             @@
##             main     #677      +/-   ##
==========================================
- Coverage   51.62%   51.52%   -0.10%     
==========================================
  Files          44       44              
  Lines        3268     3276       +8     
==========================================
+ Hits         1687     1688       +1     
- Misses       1371     1377       +6     
- Partials      210      211       +1     
Impacted Files Coverage Δ
pkg/commands/deps.go 13.08% <0.00%> (-0.51%) ⬇️
pkg/build/gobuild.go 61.44% <40.00%> (-0.20%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 895cff9...5c3c9e6. Read the comment docs.

@mattmoor mattmoor requested a review from imjasonh March 30, 2022 04:06
@mattmoor
Copy link
Collaborator

This generally LGTM, but can you include an example of what these lines look like in the resulting SBOM?

@puerco
Copy link
Contributor Author

puerco commented Mar 30, 2022

Sure thing, this snippet shows the package representing the image and the first dependency (taken from the CI artifacts):


##### Package representing github.com/google/ko

PackageName: github.com/google/ko
SPDXID: SPDXRef-Package-git.luolix.top.google.ko
PackageSupplier: Organization: github.com/google/ko
PackageDownloadLocation: https://github.com/google/ko
FilesAnalyzed: false
PackageHomePage: https://github.com/google/ko
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:oci/ko@sha256:af6a6014a791f7828feeb4153c4c731ed4b7b96320ce93fc9998d80a89e19850

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-git.luolix.top.google.ko

[... trim ...]
Relationship: SPDXRef-Package-git.luolix.top.google.ko DEPENDS_ON SPDXRef-Package-cloud.google.com.go-v0.99.0

##### Package representing cloud.google.com/go

PackageName: cloud.google.com/go
SPDXID: SPDXRef-Package-cloud.google.com.go-v0.99.0
PackageVersion: v0.99.0
PackageSupplier: Organization: cloud.google.com/go
PackageDownloadLocation: https://proxy.golang.org/cloud.google.com/go/@v/v0.99.0.zip
FilesAnalyzed: false
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:golang/cloud.google.com/go@v0.99.0?type=module

Copy link
Member

@imjasonh imjasonh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks!

@mattmoor mattmoor merged commit 4ac50b0 into ko-build:main Mar 30, 2022
@mattmoor
Copy link
Collaborator

Very helpful thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants