zyyw
commented
2 years ago it's in our roadmap; we are trying to define the spec first and for image artifact first
Open rudymccomb opened 2 years ago
zyyw
commented
2 years ago it's in our roadmap; we are trying to define the spec first and for image artifact first
ChristianCiach
commented
2 years ago The Cosign spec allows SBOM information to be embedded into the cosign artifact. Seeing that Cosign support is on the roadmap for Harbor, it would be nice if Harbor could also embed the SBOM into the generated cosign artifacts.
Or, if you don't want to support that natively, maybe let users somehow plug-in their tool of choice (similar to your existing Scanner API) to enrich the cosign data.
See https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md
github-actions[bot]
commented
2 years ago This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
AllardKrings
commented
1 year ago any progress on this request?
rudymccomb
commented
8 months ago any progress on this request?
Yes @AllardKrings see https://github.com/goharbor/harbor/issues/16397 https://github.com/goharbor/harbor/issues/19130
I don't believe its been fully integrated yet.
Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I have to use a third-party tool like SPDX CycloneDX or Anchor Syft to create an SBOM and Harbor doesn't allow me to add that to the container repo somewhere.
Describe the solution you'd like A clear and concise description of what you want to happen.
I would like the ability to generate SBOMs within Harbor when a container is uploaded and updated. Also the ability for scans to cross-reference SBOMs to determine the vulnerability level of the container/Helm chart.
Describe the main design/architecture of your solution A clear and concise description of what does your solution look like. Rich text and diagrams are preferred.
The SBOM could be optional and offer the ability to use Anchore Syft, SPDX, CycloneDX, and the resulting artifact would live in a tab next to the container layers info. Also, the SBOM could be a downloadable JSON.
Describe the development plan you've considered A clear and concise description of the plan to make the solution ready. It can include a development timeline, resource estimation, and other related things.
Integrate Anchore Syft into Harbor and just like you did for Claire, update the UI to account for this and then allow Harbor the option of checking SBOMs against vulnerability scans to determine Low Medium, or High Threshold for said container or Helm Chart.
Additional context Add any other context or screenshots about the feature request here.
https://github.com/anchore/syft