generate SBOM both SPDX and Cyclone DX formats based for container images and attach em by using cosign attach

[developer-guy]

We (w/@dentrax) thought that Syft is a popular tool to allows us to generate SBOMs easily and quickly. Even GoReleaser project using syft under the hood to generate an SBOM. We have recently added cosign support to sign and verify container images while building/pushing and pulling in nerdctl. So, cosign has SBOM spec defined to let people attach SBOM (both SPDX and Cyclone DX formats) files to container images by using cosign attach command.

So, let's add that support to the nerdctl CLI too. We can generate an SBOM file while pushing the container image, then attach the SBOM file to it.

WDYT?

cc: @dlorenc @AkihiroSuda @luhring @wagoodman

[AkihiroSuda]

How will the CLI look like?

[developer-guy]

IMHO, an --sbom flag should cover all the things and can accept both spdx, and cyclonedx as a value. So, the command will look like the following:

$ nerdctl image push -t <foo> --sbom <spdx|cyclonedx> .

AFAIK, Syft can only generate an SBOM file based on SPDX format, so we can use another tool cylonedx-go to generate an SBOM file based on Cyclone DX format.

Syft can generate an SBOM file for both formats.

[developer-guy]

We don't have to use syft as an executable way, I've recently asked @wagoodman to give us an example of how to use syft as a Go module, thanks to him, he created a gist for it.

👉 https://gist.github.com/wagoodman/57ed59a6d57600c23913071b8470175b

[developer-guy]

kinly ping @AkihiroSuda @Dentrax

[AkihiroSuda]

Probably the CLI and the output format should be compatible with https://github.com/docker/sbom-cli-plugin

[developer-guy]

it will be because they use Syft too under the hood

[developer-guy]

There are two ways of developing this feature. The first is executing the Syft binary as we did while implementing the signing feature by performing the cosign binary. The latter depends on Syft packages by adding it to the go.mod file. Syft binary is about 60MB in size, btw.

[developer-guy]

Kindly ping @AkihiroSuda

[AkihiroSuda]

Executing a separate syft binary is preferable

[Dentrax]

If we maintain separate syft executable internally, I think it would be better to start related flags with --syft- prefix.

$ nerdctl image push -t <IMAGE> --sbom-format <SPDX|CYCLONEDX> --sbom-attach --sbom-output /path/to/file

User may want to either attach SBOM directly to upstream or export the local disk. All flags are optional.

Cross ref: https://github.com/anchore/syft/issues/592

cc @developer-guy @luhring

[developer-guy]

Syft is also capable of attaching an SBOM result^1 in the form of in-toto attestations^2 with its new command called attest^3, and this command also signs the SBOM result and then uploads it to the transparency log. We might also prefer to support this behavior.

[developer-guy]

kindly ping sir @AkihiroSuda

[AkihiroSuda]

kindly ping sir @AkihiroSuda

https://github.com/containerd/nerdctl/issues/669#issuecomment-1131525143 https://github.com/containerd/nerdctl/issues/669#issuecomment-1148069599

[RealHarshThakur]

Looks like there's been some progress in this aspect with pluggable SBOM generators: https://github.com/docker/buildkit-syft-scanner/tree/master . Docker CLI relies on a flag to attach the SBOM. I think making the image customizable would allow nerdctl to help with forward compatibility as I'm sure there'll be other adapters in the future. Similarly, we can have SLSA provenance enabled(maybe even by default with mode=min?). More than happy to contribute to this :)

[AkihiroSuda]

Looks like there's been some progress in this aspect with pluggable SBOM generators: https://github.com/docker/buildkit-syft-scanner/tree/master . Docker CLI relies on a flag to attach the SBOM. I think making the image customizable would allow nerdctl to help with forward compatibility as I'm sure there'll be other adapters in the future. Similarly, we can have SLSA provenance enabled(maybe even by default with mode=min?). More than happy to contribute to this :)

:+1: How will the CLI look like?

[RealHarshThakur]

The current docker command is this, so a flag: build --sbom=true. I think we can remain docker-like in that aspect and have an environment variable that determines which SBOM plugin generator image users would like to use to generate SBOMs, default to the one Docker uses for now.

[AkihiroSuda]

The current docker command is this, so a flag: build --sbom=true. I think we can remain docker-like in that aspect and have an environment variable that determines which SBOM plugin generator image users would like to use to generate SBOMs, default to the one Docker uses for now.

SGTM