Attach sbom to container image (#730)

* Test oras sbom attach Signed-off-by: Prabhu Subramanian <[email protected]> * Tweaks Signed-off-by: Prabhu Subramanian <[email protected]> --------- Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Nov 20, 2023 · c735b9f · c735b9f
1 parent ef8675f
commit c735b9f
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 14 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,4 @@
+**/.git
+.github/
+.vscode/
+**/node_modules
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -81,6 +81,12 @@ jobs:
       with:
         images: |
           ghcr.io/cyclonedx/cdxgen
+    - name: Extract metadata (tags, labels) for nydus
+      id: metanydus
+      uses: docker/metadata-action@v4
+      with:
+        images: |
+          ghcr.io/cyclonedx/cdxgen-nydus
     - name: Build and push Docker images
       uses: docker/build-push-action@v4
       with:
@@ -94,9 +100,15 @@ jobs:
         cache-to: type=gha,mode=max,scope=cdxgen
     - name: nydusify
       run: |
-        nydusify convert --source ghcr.io/cyclonedx/cdxgen:master --target ghcr.io/cyclonedx/cdxgen-nydus:master
-        nydusify check --source ghcr.io/cyclonedx/cdxgen:master --target ghcr.io/cyclonedx/cdxgen-nydus:master
+        nydusify convert --source ${{ steps.meta.outputs.tags }} --target ${{ steps.metanydus.outputs.tags }}
+        nydusify check --target ${{ steps.metanydus.outputs.tags }}
       if: github.ref == 'refs/heads/master'
+    - name: Attach cdx sbom
+      run: |
+        npm install
+        node bin/cdxgen.js -t docker -o bom.json ${{ steps.meta.outputs.tags }}
+        oras attach --artifact-type sbom/cyclonedx ${{ steps.meta.outputs.tags }} ./bom.json:application/json
+        oras discover -o tree ${{ steps.meta.outputs.tags }}
     - name: Extract metadata (tags, labels) for Docker
       id: meta2
       uses: docker/metadata-action@v4

diff --git a/docker.js b/docker.js
@@ -111,7 +111,6 @@ export const getOnlyDirs = (srcpath, dirName) => {
 };
 
 const getDefaultOptions = (forRegistry) => {
-  console.log("getDefaultOptions called with", forRegistry);
   let authTokenSet = false;
   if (!forRegistry && process.env.DOCKER_SERVER_ADDRESS) {
     forRegistry = process.env.DOCKER_SERVER_ADDRESS;
@@ -178,9 +177,6 @@ const getDefaultOptions = (forRegistry) => {
               opts.headers = {
                 "X-Registry-Auth": configJson.auths[serverAddress].auth
               };
-              console.log(
-                `Using the existing authentication token for the registry ${serverAddress}`
-              );
               authTokenSet = true;
               break;
             } else if (configJson.credsStore) {
@@ -192,9 +188,6 @@ const getDefaultOptions = (forRegistry) => {
                 opts.headers = {
                   "X-Registry-Auth": helperAuthToken
                 };
-                console.log(
-                  `Using the authentication token from the credential store for ${serverAddress}`
-                );
                 authTokenSet = true;
                 break;
               }
@@ -215,9 +208,6 @@ const getDefaultOptions = (forRegistry) => {
                 opts.headers = {
                   "X-Registry-Auth": helperAuthToken
                 };
-                console.log(
-                  `Using the authentication token from the credential helper for ${serverAddress}`
-                );
                 authTokenSet = true;
                 break;
               }
@@ -492,7 +482,10 @@ export const getImage = async (fullImageName) => {
   let localData = undefined;
   let pullData = undefined;
   const { registry, repo, tag, digest } = parseImageName(fullImageName);
-  let repoWithTag = `${repo}:${tag !== "" ? tag : ":latest"}`;
+  let repoWithTag =
+    registry && registry !== "docker.io"
+      ? fullImageName
+      : `${repo}:${tag !== "" ? tag : ":latest"}`;
   // Fetch only the latest tag if none is specified
   if (tag === "" && digest === "") {
     fullImageName = fullImageName + ":latest";
@@ -1098,7 +1091,6 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
     input: serverAddress,
     encoding: "utf-8"
   });
-  console.log("Invoking", credHelperExe, "get");
   if (result.status !== 0 || result.error) {
     console.log(result.stdout, result.stderr);
   } else if (result.stdout) {

diff --git a/docs/LESSON3.md b/docs/LESSON3.md
@@ -0,0 +1,46 @@
+# Attach signed SBOM to a container image
+
+## Learning Objective
+
+In this lesson, we will learn about signing and attaching a signed SBOM to a container image.
+
+## Pre-requisites
+
+Ensure the following tools are installed.
+
+- ORAS [CLI](https://oras.land/docs/installation)
+- Node.js > 18
+- docker or podman
+
+Additionally, you need to have access to a container registry to push the image.
+
+## Getting started
+
+Install cdxgen
+
+```shell
+sudo npm install -g @cyclonedx/cdxgen
+```
+
+### Create and Build a container image
+
+Paste the below contents to a file named `Dockerfile`
+
+```
+FROM ubuntu:latest
+```
+
+Build and push the image to the registry
+
+```shell
+docker build -t docker.io/<repo>/sign-test:latest -f Dockerfile .
+docker push docker.io/<repo>/sign-test:latest
+```
+
+### Create an SBOM with cdxgen
+
+```shell
+cdxgen --generate-key-and-sign -t docker -o bom.json docker.io/<repo>/sign-test:latest
+oras attach --artifact-type sbom/cyclonedx docker.io/<repo>/sign-test:latest ./bom.json:application/json
+oras discover -o tree docker.io/<repo>/sign-test:latest
+```
diff --git a/docs/_sidebar.md b/docs/_sidebar.md
@@ -5,4 +5,5 @@
 - [Advanced Usage](ADVANCED.md)
 - [Tutorials - Java](LESSON1.md)
 - [Tutorials - JavaScript](LESSON2.md)
+- [Tutorials - Sign & Attach](LESSON3.md)
 - [Enterprise Support](SUPPORT.md)