Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: SBOM generation + attestation #16397

Open
hectorj2f opened this issue Feb 21, 2022 · 10 comments · May be fixed by goharbor/community#197
Open

Feature: SBOM generation + attestation #16397

hectorj2f opened this issue Feb 21, 2022 · 10 comments · May be fixed by goharbor/community#197
Labels
kind/requirement New feature or idea on top of harbor
Projects
Harbor Project Board

Comments

@hectorj2f
Copy link

Is your feature request related to a problem? Please describe.
Customers want to know what is inside of the pulled images, as well as they want to know the authenticity of that generated information.

Describe the solution you'd like
Harbor could have periodic tasks to generate SBOM for the stored container images. Likewise, I believe Harbor should also attest that generation of SBOM files to validate the authenticity of that generated BOM.

Describe the main design/architecture of your solution
A service similar to the scanning solution for the images, that generates a SBOM file for each container image that doesn't have associated a SBOM file. There are multiple open source tools to generate SBOM files from container images.

Once the SBOM data has been generated, Harbor could generate an attestation to record a proof of the authenticity of this generated data.

Additional context
There is a thing or two to have in mind. Certain container images might already contain SBOM data which is combination of multiple SBOM files. Or the container image BOM only reflects a limited runtime part of the dependencies of that image, so a SBOM data might not reflect all the dependencies that authors might know it has.
@ChristianCiach
Copy link

Seeing that support for Cosign is on the roadmap for Harbor, I think there is an opportunity to combine this with SBOM generation, as I've already explained here: #16186 (comment)

@hectorj2f
Copy link
Author

@ChristianCiach The support for cosign is nearly done, I believe it should be already in a RC. I agree that Harbor could use cosign SDK to attest a previously generated SBOM.

@wy65701436 wy65701436 added kind/requirement New feature or idea on top of harbor candidate/2.6.0 labels Feb 28, 2022
@github-actions
Copy link

github-actions bot commented May 2, 2022

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added the Stale label May 2, 2022
@hectorj2f
Copy link
Author

@wy65701436 Do you have any news in relation to this issue ?

@github-actions github-actions bot removed the Stale label May 3, 2022
@hectorj2f
Copy link
Author

https://pbs.twimg.com/media/FQT_7sVVkBEyuhq.jpg Docker will use Trivy and would be able to save SBOM files.

@developer-guy
Copy link

developer-guy commented May 30, 2022
edited

anything in progress?

we (w/@Dentrax) thought that generating SBOM automatically with Syft (@luhring) would be a great feature 🙋🏻‍♂️

@Dentrax
Copy link

Dentrax commented May 30, 2022

We can also sign & attach SBOMs in in-toto attestations using cosign to prove integrity. 1

Footnotes

  1. https://anchore.com/sbom/creating-sbom-attestations-using-syft-and-sigstore/

@qnetter
Copy link
Contributor

qnetter commented May 31, 2022

This is a solid idea and I like it for a future release. Proposal, anyone?

@Dentrax Dentrax linked a pull request May 31, 2022 that will close this issue
Open
@Dentrax
Copy link

Dentrax commented May 31, 2022

Waiting some reviews here! goharbor/community#197

@github-actions
Copy link

github-actions bot commented Jul 5, 2022

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added the Stale label Jul 5, 2022
@stonezdj stonezdj removed the Stale label Jul 7, 2022
@qnetter qnetter added this to 2.7 Suggestions in Harbor Project Board Aug 17, 2022
@ChristianCiach ChristianCiach mentioned this issue Oct 4, 2022
Open
@RealHarshThakur RealHarshThakur mentioned this issue Feb 6, 2023
Open
@chlins chlins mentioned this issue Aug 9, 2023
Closed
@rudymccomb rudymccomb mentioned this issue Mar 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/requirement New feature or idea on top of harbor
Projects
Harbor Project Board
  
v2.7
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[W.I.P] Proposal: Pluggable SBOM Generation Dentrax/community
8 participants
@stonezdj @wy65701436 @hectorj2f @qnetter @Dentrax @developer-guy @ChristianCiach @yanji09