Support Ubuntu Chisel manifests as an sbom input

[richlander]

In reference to https://github.com/dotnet/dotnet-docker/issues/5973

We (.NET Team) have been working closely with Canonical on Chiseled images:

• https://devblogs.microsoft.com/dotnet/announcing-dotnet-chiseled-containers/
• https://github.com/dotnet/dotnet-docker/issues/4667
• https://discourse.ubuntu.com/t/chisel-manifest-is-supported-in-newly-released-v1-0-0/48944

At present, we use an interim solution to make chiseled images scannable. That has worked well. We've been waiting for the chisel manifest format to land to move to a more permanent solution. However, scanners don't support the chisel manifest. We talked to @cjdcordeiro about this. His vision is that SBOM tools (starting with the MS one) support chisel manifests as an input and we rely on scanners ability to read SBOMs.

Our end to end vision is this:

• SBOM tools support chisel manifests as an input
• We run the SBOM tool to generate an SBOM for the container images we publish
• We attach the SBOM to our container images as an OCI artifact
• Scanners can scan our container images by pulling by an image and the associated registry artifact

How does that sound? I'm a bit worried that a registry-based solution might be a breaking change for some users. That's worth discussing.

What's the best path to achieving that?

[cjdcordeiro]

Thanks for this nice breakdown. On our side, we'll be:

• writing the reference documentation for the Chisel manifests;
• defining the shortest path of translation of a Chisel manifest to an SPDX-compliant SBOM;
• supporting the adoption of the Chisel manifest in Microsoft's sbom-tool; and
• working with 3rd party tools to assess the feasibility of natively supporting scanning of Chiselled containers without SBOMs.