Closed NohaIhab closed 1 month ago
syncronize-issues-to-jira[bot]
commented
1 month ago Thank you for reporting us your feedback!
The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-6280.
This message was autogenerated
NohaIhab
commented
1 month ago I wrote a script that re-uses our get_all_images.py script to produce the SBOMs for kubeflow bundle images.
For mlflow bundle images, this will not apply since mlflow does not have the tools/get-images.sh. To generate the mlflow SBOMs, I ran the following commands:
syft scan docker.io/charmedkubeflow/mlflow:v2.15.1-d756ce7 -o spdx-json=docker.io/charmedkubeflow/mlflow:v2.15.1-d756ce7.spdx.json
syft scan docker.io/charmedkubeflow/mlflow-prometheus-exporter:1.0-22.04 -o spdx-json=docker.io/charmedkubeflow/mlflow-prometheus-exporter:1.0-22.04.spdx.jsonAnd included the SBOMs for minio and mysql images generated by the script for kubeflow bundle. The mlflow SBOMs are now uploaded in the team's Gdrive.
While the solution for mlflow is manual, I don't think we should invest any time to automate it since we will be replacing this process with the automation planned by the SBOM WG. From their spec:
Automation: REST API and Command line tool, for automation of bulk SBOM production, is planned for the 25.04 cycle.
Context
We need an automated way to produce SBOMs for all our OCI images and rocks
What needs to get done
Write a script that does the following:
snap install syftsyft scan container@manifest -o spdx-json=container@manifest.spdx.json(replacing "container" with the url/path to the container, e.g. grafana/grafana; and "manifest" with the manifest digest for the container)Definition of Done
We have a script to produce SBOMs for all our images and rocks