Create and Attach the generated SBOM to the Image

[Vad1mo]

Currently, we are signing the images with cosign, we should also attach the generated SBOMs (from goreleasers or otherwise) to the image

here is a guide:
https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/attestation/sbom/

[rizul2108]

I want to work on this issue, and I was referring the file where we are signing the images, but there seems to be some error on my side, or there is some wip in that file
can you please tell me what is the problem
https://github.com/goharbor/harbor-cli/blob/main/dagger/main.go

[Vad1mo]

Can you be more specific? What problem do you have and what did you already tried to do to solve it, and what outcome did it had?

[rizul2108]

Actually i was getting to know which part of already existing code is related to this issue and what modifications i have to make
and as far as i understood, I will have to work with this file. but when i opened it locally it is giving these errors

and also dag word is there in this file and it is showing undefined for that word through out the file like in this line
https://github.com/goharbor/harbor-cli/blob/8dd8abb21c626fca3cb8488d027bb71c120967b0/dagger/main.go#L44C13-L44C16

[rizul2108]

@Vad1mo any solution for this?

[rizul2108]

I had figured this out now I am onto this issue i just want to ask one thing you provided the guide for trivy tool and in description you mentioned about sbom from goreleasers and by default they are generated using syft so should i write code for sbom generation by trivy or syft

[Vad1mo]

I had figured this out now I am onto this issue i just want to ask one thing you provided the guide for trivy tool and in description you mentioned about sbom from goreleasers and by default they are generated using syft so should i write code for sbom generation by trivy or syft

it doesn't matter, trivy was the first thing that came into my mind. Syft is fine too.

Before your start working, can you outline in steps here what and how you are planing to execute it, so we all have the same understanding.

[rizul2108]

According to the documentation of trivy, first, we need to generate the SBOM file in the desired format. To do that I will make a container using dagger and make that JSON file and export it from that container to local using the below command :

trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>

Then, once we have got the SBOM file in the desired format, we need to replace this command in the below file with attest instead of sign to run this below command. This attest command attaches the SBOM to the image.

cosign attest --key /path/to/cosign.key --type cyclonedx --predicate sbom.cdx.json <IMAGE>

I believe the required changes will only need to be made in this file in this particular function

So, for now, I will first be fixing the format of the SBOM file. Later, we can add functionality to allow users to choose the SBOM format dynamically, as Trivy supports multiple formats. A list of these formats can be found here.

[Vad1mo]

ok, its not the right thing, we are doing the same for the container already, you could just use that file. I was more looking into creating the sbom based on the golang mod file. IMO this should be more accurate. I am also not sure if you can create an sbom just from the binary. Maybe you can compare the output of both options

[rizul2108]

hi sorry for late reply as my uni had resumed so i didn't get to work further on this.
Now i will resume work on this issue

we are doing the same for the container already, you could just use that file.

Can you please attach the link of that file as i can't find where it is ? I will understand further what you are saying in detail and put my thoughts here.

[rizul2108]

Ohkk I found the function this is what you are talking about i think

https://github.com/goharbor/harbor-cli/blob/7f439409d79d9cb16bfed51ba7d25292a6da52c2/dagger/main.go#L228C1-L248C1

[rizul2108]

So i checked and we can create the SBOM file from go.mod file using below command

syft scan go.mod --output <FORMAT> > sbom.cdx.json

So now suppose we have 2 SBOM files 1 is generated from the container image and the other from the go.mod file. So, by comparing what we want to achieve finally, I can't understand that.

[rizul2108]

@Vad1mo can you give any lead on this please?

[bupd]

I would prefer using GoReleaser for generating sboms.

https://goreleaser.com/blog/supply-chain-security/?h=sbom

Hope it helps

[rizul2108]

So I understand that the syft binary is being created in this file already, so I will create the SBOM file from this binary.
So, While attaching do i need to just copy the SBOM file to that container or attach the SBOM file to the image using this command