SBOMs for Arm-based images do not include Linux package descriptions

dotnet / docker-tools

This is a repo to house some common tools for our various docker repos.

MIT License

122 stars 46 forks source link

SBOMs for Arm-based images do not include Linux package descriptions #1150

Closed mthalman closed 2 months ago

mthalman commented 1 year ago

As an example, this is the SBOM of an Alpine 3.17 Arm64 .NET 6 SDK image: manifest.spdx.json (internal link).

It contains no Linux packages.

Looking at the build log provides some more info:

[WARN] Scanning of image sha256:bd605509b85f7f214c594df3e9ae3c1067c01ac6f03facefe3409e94cb0c99a6 failed with exception: Scan failed with exit info: 
standard_init_linux.go:228: exec user process caused: exec format error

This warning only shows up in the Arm build legs.

mthalman commented 1 year ago

[Triage]

This may end up being an issue with https://github.com/microsoft/sbom-tool. We need to investigate further to understand the issue.

lbussell commented 2 months ago

[Triage] this appears to not be an issue any more: https://dev.azure.com/dnceng/internal/_build/results?buildId=2492525&view=logs&j=e27bb03b-8ee4-51d2-159a-afc23d6ec395&t=bd61d781-4732-5a57-18a0-b0bd68c2790c