kubewarden / policy-server

Webhook server that evaluates WebAssembly policies to validate Kubernetes requests
https://kubewarden.io
Apache License 2.0
138 stars 18 forks source link

SBOM file to describe which build packages and libc versions are used #315

Closed jvanz closed 2 years ago

jvanz commented 2 years ago

Currently we are generating the SBOM files for the policy server binaries. To improve even further our security and SSC, It's necessary to generate SBOM file of the system where our binaries and container image are generated.

Therefore, we will make clear what are the packages versions are under use in the build environment. And more important, which version of Musl, the libc used by policy server, is used in each release. All of this files should be attached to the release.

raulcabello commented 2 years ago

I don't know how we can add the build environment info to the sbom files. It looks like the tools we are using does not support that (unless I'm missing something). However I found the current sbom provides info about which libc version is used:

{
    "name": "libc",
    "SPDXID": "SPDXRef-Package-libc-0.2.132",
    "versionInfo": "0.2.132",
    "supplier": "Organization: The Rust Project Developers",
    "downloadLocation": "https://github.com/rust-lang/libc",
    "filesAnalyzed": false,
    "checksums": [
        {
            "algorithm": "SHA1",
            "checksumValue": "5135f39c9447280f157cd3b0776988a7d639f022"
        }
    ],
    "homepage": "https://github.com/rust-lang/libc",
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "NOASSERTION",
    "copyrightText": "NOASSERTION",
    "licenseComments": "NOASSERTION",
    "comment": "NOASSERTION"
}
flavio commented 2 years ago

This is not really the libc provided by the host (glibc/muslc), but it's a rust crate that gives access to libc functions.

I would file an issue against one of the tools we are using to generate the SBOM files, asking if it's possible to include information about the build environment being used. We have to be explicit about us using muslc, this is kinda like a cross-building environment.

viccuad commented 2 years ago

Opened https://togithub.com/opensbom-generator/spdx-sbom-generator/issues/274 upstream.

jvanz commented 2 years ago

If the current tool is not able to fetch this info by itself and you know another one which can do that, we can link both files. SBOM spec allows users to link elements from different files and tell the kind of relationship they have.

An example: https://github.com/spdx/spdx-examples/blob/master/example3/spdx/example3-bin.spdx#L46-L52