search

dotnet / dotnet-docker

Docker images for .NET and the .NET Tools.
https://hub.docker.com/_/microsoft-dotnet
MIT License
4.37k stars 1.91k forks source link

Attach SBOMs to images in the container registry #5515

Open lbussell opened 1 month ago

lbussell commented 1 month ago

We can use the ORAS tool to directly attach SBOMs to our images in our container registry. This makes the content of our images more discoverable and opens up the possibility for automation based on the SBOM (for example, rebuilds when we have CVEs or package updates). This can decouple the "scanning" of the image from the actions based on that scan.

SBOMs are an attestation/supply chain artifact and can also be signed:

image

Example

SBOM Discovery

$ oras discover -o tree $IMAGE

myregistry.azurecr.io/net-monitor:v1
├── sbom/example
│   └── sha256:4f1843833c029ecf0524bc214a0df9a5787409fd27bed2160d83f8cc39fedef5
│       └── signature/example
│           └── sha256:3c43b8cb0c941ec165c9f33f197d7f75980a292400d340f1a51c6b325764aa93
├── readme/example
│   └── sha256:5fafd40589e2c980e2864a78818bff51ee641119cf96ebb0d5be83f42aa215af
└── signature/example
    └── sha256:00da2c1c3ceea087b16e70c3f4e80dbce6f5b7625d6c8308ad095f7d3f6107b5

Additional Context

Related:

mthalman commented 1 month ago

Also related: https://github.com/dotnet/docker-tools/issues/1151

lbussell commented 1 month ago

[Triage] There are several questions we'd like to get more clarity on:

  1. How would users consume this SBOM using the ORAS tool or otherwise?
  2. What's our policy on what version of the SBOM spec we apply to a given image?
  3. How do we treat attaching SBOMs to .NET major versions? Would adding SBOMs to an already released .NET version be a breaking change? Removing them certainly would. We want to make sure that ORAS and these OCI artifacts are stable before committing to this for release.
  4. We should be clear about the driving scenarios for implementing this. If we implement this only in order to adopt our other automation, then we shouldn't fund this work if the other work isn't funded.
lbussell commented 1 month ago

[Triage] Before diving into the mechanics of how and when and to what versions to attach SBOMs for, we should research what SBOM generator tools generate for our images. For example, what does .NET's SBOM look like? Is it presentable, or even useful? That should be a prerequisite to attaching SBOMs to our images.