[EPIC] SBOM integration

[chlins]

Background

SBOM (Software Bill of Materials) is becoming increasingly important in the software development and supply chain ecosystem. It provides a comprehensive and structured inventory of the components and dependencies used in a software application. The significance of SBOM lies in its ability to enhance transparency, security, and compliance throughout the software development lifecycle.

In the context of Harbor, supporting SBOM brings significant benefits. As a trusted container registry, Harbor can act as a central hub for storing and managing SBOM information. By integrating SBOM generation and storage capabilities into Harbor, organizations gain a centralized and standardized approach to managing their software supply chain. Developers and security teams can easily access SBOM information, analyze dependencies, and make informed decisions regarding security patches, updates, or component replacements.

Related requirement issues

• Feature: SBOM generation + attestation #16397
• SBOM: Ability to generate SBOM when a container or helm chart is uploaded and updated #16186

Tasks

Considering the overall changes and workload involved in this feature, we considered breaking down tasks into different phases and delivering the feature in multiple release versions.

Frontend

• [SBOM] UI design #19131
• [SBOM] UI implementation #19132
• [SBOM] Add project level configuration item to enable auto generate SBOM on push #20061
• [SBOM] Add button to generate SBOM/stop generate SBOM in the artifact table  #20062
• [SBOM] Display the full content of the current SBOM. the content of the SBOM can be download as a file. #20063
• [SBOM] display generate SBOM status when it is not complete, if it complete, display the link to the SBOM detail #20064
• [SBOM] Update the scanner API to add two calculated columns #20050

Backend

• [SBOM] Scanner spec enhancement #19133
• [SBOM] Proposal design #19134
• [SBOM] Backend implementation - Generation JOB #19135
• [SBOM] Backend implementation - APIs #19457
• [SBOM] Backend implementation - Trivy adapter #19458
• [SBOM] Backend implementation - Bundle SBOM to OCI Artifact #19459
• [SBOM] Add a project level configuration item auto_gen_sbom to enable auto generate SBOM on image push #20060
• [SBOM] Update the scanner API to add two calculated columns #20050
• [SBOM] Update existing scan API to allow to generate SBOM, and also update the stop scan API  #20067
• [SBOM] Update existing list artifact API to support list artifact with_sbom_overview #20057
• [SBOM] Remove SBOM information from scan_report table when a SBOM accessory is deleted in registry #20058
• [SBOM] Update existing scan job service, add support to generate SBOM for an artifact #20065
• [SBOM] Add an API to retrieve the SBOM content for the SBOM accessory #20066

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[Reamer]

Still needed.

[bedla]

Hi, will it be possible to upload SBOM and not only generate it?

My use-case is that I have GraalVM native build with SBOM generated during build time and currently saved into Artifactory. This also applied to any other Native build like Go, C, etc.

Some more detail about use-case I described here aquasecurity/trivy#6288

What do you think?

Thx

Ivos

[PiotrIzak]

Feature is still needed.

[sambonbonne]

Hello, I have the same use case as @bedla: I build a native image (GraalVM) with Gradle and Nx so Harbor doesn't detect dependencies vulnerabilities. I am able to generate a SBOM appart the image file but I don't find a way to upload it directly to Harbor.