Adds support for DependencyLayerContributor and HelperLayerContributor to generate SBOMs #105
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dmikusa
added
type:enhancement
dmikusa
force-pushed
the
sbom-deps
branch
2 times, most recently
from
625cfd3 to
2b9b558
Compare
…r to generate SBOMs - DependencyLayerContributor will write an SBOM with the dependency's metadata - HelperLayerContributor will write an SBOM entry with the helper's metadata - Both are written to the layer's SBOM file - The DependencyLayerContributor support adds two new metadata fields to the BuildpackDependency object: `purl` and `cpes`. - purl is a string for the package URL, based on https://github.com/package-url/purl-spec - cpes is a list of strings for multiple CPE, or Common Platform Enumeration, identifiers - the values for these two fields are loaded from dependencies entries in buildpack.toml - if not specified, they default to the Go empty values - a single artifact entry is added for each dependency - The HelpLayerContributor support generates a SBOM file with the following information. It is automatic and no additional metadata is required. - Name is `helper` - Version is the buildpack version - Licenses contains the buildpack's license - Locations contains a list of the helper names that are setup for this helper - CPEs is a list of `cpe:2.3:a:<buildpack-id>:<helper-name>:<buildpack-version:*:*:*:*:*:*:*` - PURL is `pkg:generic/<buildpack-id>@<buildpack-version>` - ID hashes for all artifacts are calculated using `github.com/mitchellh/hashstructure/v2` and are a hash of the SyftArtifact object before setting the ID. - NewDependencyLayerContributor will return an empty BOMEntry if the dependency in question has an empty PURL and an empty CPEs list. This prevents old style and new style BOM entries from both being written, which causes an error under buildpacks API 0.7 and platform API 0.8 but allows for backwards compatibility. - NewHelperLayerContributor will also return an empty BOMEntry but it is based on the API version for the buildpack that contributes the helpers. If that is 0.7, it will be empty. If it's 0.6 or less, it'll return an entry as before. This prevents old style and new style BOM entries from both being written, which causes an error under buildpacks API 0.7 and platform API 0.8 but allows for backwards compatibility. - Old style BOM entries are deprecated and will be removed in a future version of libpak. This functionality requires buildpack API 0.7, for older buildpack versions you may call these methods and they will function properly, however, the lifecycle will not persist any of the information generated. Other incidental changes in this commit: - Fixes a bug with `syft packages`. There was a typo in the command and th `-q` argument was missing. - Moves SBOM functionality from the `sherpa` package into its own package `sbom`. - Bumps to libcnb 1.25.0, which is required for the buildpack API 0.7 support. Signed-off-by: Daniel Mikusa <dmikusa@vmware.com>
pivotal-david-osullivan
approved these changes
Nov 19, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
purlandcpes.helpercpe:2.3:a:<buildpack-id>:<helper-name>:<buildpack-version:*:*:*:*:*:*:*pkg:generic/<buildpack-id>@<buildpack-version>github.com/mitchellh/hashstructure/v2and are a hash of the SyftArtifact object before setting the ID.This functionality requires buildpack API 0.7, for older buildpack versions you may call these methods and they will function properly, however, the lifecycle will not persist any of the information generated.
Other incidental changes in this commit:
syft packages. There was a typo in the command and th-qargument was missing.sherpapackage into its own packagesbom.Signed-off-by: Daniel Mikusa dmikusa@vmware.com