Feature: SBOM generation + attestation

[hectorj2f]

Is your feature request related to a problem? Please describe. Customers want to know what is inside of the pulled images, as well as they want to know the authenticity of that generated information.

Describe the solution you'd like Harbor could have periodic tasks to generate SBOM for the stored container images. Likewise, I believe Harbor should also attest that generation of SBOM files to validate the authenticity of that generated BOM.

Describe the main design/architecture of your solution A service similar to the scanning solution for the images, that generates a SBOM file for each container image that doesn't have associated a SBOM file. There are multiple open source tools to generate SBOM files from container images.

Once the SBOM data has been generated, Harbor could generate an attestation to record a proof of the authenticity of this generated data.

Additional context There is a thing or two to have in mind. Certain container images might already contain SBOM data which is combination of multiple SBOM files. Or the container image BOM only reflects a limited runtime part of the dependencies of that image, so a SBOM data might not reflect all the dependencies that authors might know it has.

[ChristianCiach]

Seeing that support for Cosign is on the roadmap for Harbor, I think there is an opportunity to combine this with SBOM generation, as I've already explained here: https://github.com/goharbor/harbor/issues/16186#issuecomment-1040645001

[hectorj2f]

@ChristianCiach The support for cosign is nearly done, I believe it should be already in a RC. I agree that Harbor could use cosign SDK to attest a previously generated SBOM.

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[hectorj2f]

@wy65701436 Do you have any news in relation to this issue ?

[hectorj2f]

https://pbs.twimg.com/media/FQT_7sVVkBEyuhq.jpg Docker will use Trivy and would be able to save SBOM files.

[developer-guy]

anything in progress?

we (w/@dentrax) thought that generating SBOM automatically with Syft (@luhring) would be a great feature 🙋🏻‍♂️

[Dentrax]

We can also sign & attach SBOMs in in-toto attestations using cosign to prove integrity. ^1

[qnetter]

This is a solid idea and I like it for a future release. Proposal, anyone?

[Dentrax]

Waiting some reviews here! https://github.com/goharbor/community/pull/197

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.