Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Pinned-Dependencies digest hashes don't make sense for multi-platform docker images #1773

Closed
calebdoxsey opened this issue Mar 23, 2022 · 14 comments · Fixed by #1918
Labels
kind/enhancement New feature or request

Comments

@calebdoxsey
Copy link

Is your feature request related to a problem? Please describe.
Dockerfiles allow you to pin the FROM using a digest hash:

FROM golang@sha256:3c4de86eec9cbc619cdd72424abd88326ffcf5d813a8338a7743c55e5898734f AS base

This digest is however platform specific:

Screen Shot 2022-03-23 at 8 48 41 AM

Therefore any project which wants to release or use multi-platform docker images can't use the digest in the FROM and they're going to get dinged by scorecard.

With the release of M1 macs and ARM cloud servers this is becoming an increasingly common problem.

Describe the solution you'd like
Is there another way of pinning the digest that could solve this problem for multi-platform images? Perhaps we can update https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies to note that?

Describe alternatives you've considered
I guess just living with the lower score.

@calebdoxsey calebdoxsey added the kind/enhancement New feature or request label Mar 23, 2022
@laurentsimon
Copy link
Contributor

laurentsimon commented Mar 23, 2022

Thanks for the issue!

Can you use variables to do that? We accept FROM image@sha256:${SHA} and use docker build . --build-arg SHA=<hash>?

That brings up a second question: how do you store the hashes in a place that dependabot/renovatebot will understand and update?

There's also a template engine, but I've not looked into it much yet.

Let's add this back to the doc once we've figured out the right solution

@laurentsimon
Copy link
Contributor

cc @loosebazooka @lumjjb any thoughts?

@loosebazooka
Copy link
Contributor

I don't see why multiplatform images can't be referenced by the hash of the manifest list?

@loosebazooka
Copy link
Contributor

loosebazooka commented Mar 23, 2022

for example to obtain the manifest list digest

$ crane digest golang
sha256:fb5993c8c22ae9fec57f91a3e59825f9368d01b1d15a984d83080cac575f79b8

and we can see the contents are indeed a manifest list

$ crane manifest golang@sha256:fb5993c8c22ae9fec57f91a3e59825f9368d01b1d15a984d83080cac575f79b8 | jq
{
  "manifests": [
    {
      "digest": "sha256:996ee073842215953635bcc11b2cda8775b543dbe4a903a6792ad7dd4dcd0017",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:2163a6f970e1e150c289b4a3a3f453e2799f0eeab8519da0c178c8962a185371",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v5"
      },
      "size": 1796
    },
    {
      "digest": "sha256:0c1e67274cc64cefe34feb577939f4027d3dc531c020f991d1b8481a7a5ed915",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v7"
      },
      "size": 1796
    },
    {
      "digest": "sha256:9b8a5ea3de2895a1f34beb6f121b658c67ad87b4cc7dc957608331271a20bf8a",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm64",
        "os": "linux",
        "variant": "v8"
      },
      "size": 1796
    },
    {
      "digest": "sha256:393fde56e4f7799fe3fc71b68be2e2a873d3b993a3873215c46b71f68cd6238e",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "386",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:2b13596cafce30e906762c02aa8db1fd5ed7b5120491521a7d0302f0cb36e10e",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "mips64le",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:3b7a7f6da7598a7c6c48f912b321678cbe9a8a5d4898644636788b2454769aa9",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "ppc64le",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:2702929a87bf96e294a34ee64437abf5ba816c5fd2a0ef8247acf6764c211279",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "s390x",
        "os": "linux"
      },
      "size": 1796
    },
    {
      "digest": "sha256:97c37195f3549f498f4c8c0b4a6ccb233bbe9f127fd7ad60fc6e3b4b12042ce5",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "windows",
        "os.version": "10.0.20348.587"
      },
      "size": 3401
    },
    {
      "digest": "sha256:64215ac6ca699e7fa7e2371c6685c8a0b960ba856f2c0fecc77efdc4217dc751",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "windows",
        "os.version": "10.0.17763.2686"
      },
      "size": 3401
    }
  ],
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
  "schemaVersion": 2
}

@calebdoxsey
Copy link
Author

@loosebazooka this does seem to work. It builds fine on my m1 mac. Thanks!

@loosebazooka
Copy link
Contributor

I don't know if depandabot/renovate bot actually know how to keep these up to date though, be curious to see what happens

@lumjjb
Copy link

lumjjb commented Mar 24, 2022

Yea that should be fine since OCI objects are all hash referenced and verified. The person usually uploading the manifest would need the same permissions as whoever is uploading the manifest so shouldn't be an issue there - unless this changes in the future.

@laurentsimon
Copy link
Contributor

Maybe I'm misunderstanding the original question: but was the question around dockerfiles rather than the resulting manifest?

@calebdoxsey
Copy link
Author

@laurentsimon Yes in the original question I was unsure how best to pin dependencies when using multi-platform images since I thought the digest hash was platform-specific.

But as it turns out theres a digest hash which is not platform-specific, and using that works just fine for docker build. We could probably close this issue unless it'd be worthwhile adding a note to the docs.

@laurentsimon
Copy link
Contributor

laurentsimon commented Mar 24, 2022

ah, I see. So there's a digest that contains all the other images. I'd like to add this to the documentation of our check for the remediation part. Mind drafting a sentence or 2 that we could add in our doc for other users to benefit from? You can send a PR or just paste it here if you prefer.

@loosebazooka
Copy link
Contributor

can you link to the docs?

@laurentsimon
Copy link
Contributor

@laurentsimon
Copy link
Contributor

@loosebazooka still interested in tweaking the doc?

@loosebazooka
Copy link
Contributor

I forgot about this. I'll take a look tomorrow if no one else is interested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants