-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Discovery of SBOMs on the Rekor transparency log #1159
Comments
This was referenced Aug 17, 2022
spiffcs
pushed a commit
that referenced
this issue
Aug 24, 2022
This PR adds the ability to discover build-time SBOMs from binaries with the Rekor transparency log. It does this by creating external document references for them in SPDX JSON. Explained in more detail in syft issue #1159
spiffcs
pushed a commit
that referenced
this issue
Oct 21, 2022
This PR adds the ability to discover build-time SBOMs from binaries with the Rekor transparency log. It does this by creating external document references for them in SPDX JSON. Explained in more detail in syft issue #1159 Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
spiffcs
pushed a commit
that referenced
this issue
Oct 21, 2022
This PR adds the ability to discover build-time SBOMs from binaries with the Rekor transparency log. It does this by creating external document references for them in SPDX JSON. Explained in more detail in syft issue #1159 Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
spiffcs
pushed a commit
that referenced
this issue
Oct 25, 2022
This PR adds the ability to discover build-time SBOMs from binaries with the Rekor transparency log. It does this by creating external document references for them in SPDX JSON. Explained in more detail in syft issue #1159 Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
spiffcs
pushed a commit
that referenced
this issue
Oct 25, 2022
This PR adds the ability to discover build-time SBOMs from binaries with the Rekor transparency log. It does this by creating external document references for them in SPDX JSON. Explained in more detail in syft issue #1159 Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Closing as this is superseded by #1291 🙏 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Motivation
It is not always possible to look inside executables and report accurate information on their contents and dependencies. This information is accessible at the build time of executables, but there has been no general way to propagate this data to a later stage in the software supply chain.
With the development of the Sigstore supply chain security infrastructure, it is now possible to access information from the build time of artifacts. This issue and related PRs propose a way to incorporate this information into Syft.
This PR is part of the broader picture to allow Syft to handle finding SBOMs (#737) and to enable the use of external sources (#1115).
The rekor-cataloger
#1157 contributes a package which can search the Rekor transparency log for information about SBOMs of executables, and the rekor-cataloger, the integration point between the package and Syft.
Demo
To demo the rekor-cataloger, run Syft on an image containing binaries that have SBOMs on Rekor. One such image is here https://hub.docker.com/r/mdeicas/sample-golang-prov.
This is the diff between an execution of syft with and without this PR:
How the rekor-cataloger works
Upon finding an executable, Rekor is searched by hash. The log entries and associated SBOMs are retrieved and verified, and relationships are created. The SBOM information is obtained from an in-toto attestation (https://github.com/in-toto/attestation) associated with the Rekor entry. Here is an example:
The SBOM that is output by Syft uses external reference relationships to refer to the SBOMs discoverd by the rekor-cataloger. Merging the SBOMs was considered to be an optional follow-up feature, and is still under investigation (#617).
The rekor package exports an ExternalRef type that represents information about an external sbom. It is an identifiable, and is placed into a Syft relationship to upstream the information. When mapping the Syft SBOM format to other formats, relationships with ExternalRefs are handled in accordance with each format’s specification. In SPDX, they appear in the external reference documents section in addition to being referenced in a relationship. Here is an example (edited):
The rekor package can only read log entries that are associated with in-toto attestations. The content of the SBOM that is referenced in the attestation must successfully be retrieved to continue execution, and only SPDX SBOMs can be read.
Managing external sources
The use of external sources is new to Syft, and they should be managed carefully (i.e. configurability, clear to users what has been used and how). Accordingly, #1158 introduces a new external sources configuration, an additional function that catalogers must implement, and a cli flag to shut off the use of external sources. This approach assumes that external sources will only come into Syft through catalogers.
Separate from that PR, rekor-cataloger logs a warning indicating what was used to create the output SBOM (see the log output above).
Verification of data
The use of external sources requires verification of data that is found. Absent inconsistencies that are outlined below, the rekor-cataloger currently accepts all Rekor entries that have certificates issued by Fulcio. In the future, the rekor-cataloger can be extended to limit accepted entries to ones that match specific identities.
To explain the verification actions that are taken, simplified depictions of the Rekor log entry and in-toto attestation data formats are shown here:
The rekor package retrieves the Rekor log entry, the associated in-toto attestation, and the SBOM. It performs verification to ensure that the retrieved data has not been tampered with. It verifies that:
These steps ensure that the retrieved information, and the upstream external document reference that is produced, can be trusted if Rekor, Fulcio, and the certificate subject are trusted.
A current limitation of Rekor entries for in-toto attestations does not allow the verification of the certificate subject’s signature over the attestation (sigstore/rekor#582). Once this is possible, Rekor will not need to be trusted.
When a builder, such as the slsa-github-generator (https://github.com/slsa-framework/slsa-github-generator), generates the SBOM and uploads it to Rekor, a path from source code to SBOM is created. In this case, the only trust predicates are the builder and Fulcio.
Surfacing packages versus surfacing binaries
Edit: I realized that Syft can create files, not just packages. Binaries can be represented using files, and the below doesn't apply anymore 😃.
External document references that the rekor-cataloger produces must be related to SBOM entries for executables as opposed to entries for the packages they contain (in-toto attestation subjects are executables, not packages). Currently, Syft only surfaces packages. Binaries that are found, but that cannot be looked inside of, do not appear in the SBOMs output by Syft.
This PR includes a temporary solution to allow the use of the rekor-cataloger for golang binaries. It involves a change (see commit titled “surface external relationships”) to the golang-binary-cataloger to create SBOM entries not only for the packages that executables contain, but also for the executables themselves. This allows the rekor-cataloger to create external reference relationships using the entries for golang executables.
Since no entries are created for binaries that are not golang-compiled, the results from the rekor-cataloger for them will not appear in output SBOMs. Another implication is that the rekor-cataloger cannot be run without the golang-binary cataloger, as rekor-cataloger does not itself create packages.
This also raises the larger question of whether Syft should only surface an executable when it can provide meaningful information for it. The current design prevents the rekor-cataloger’s ability to report information in the output SBOM, but also should raise wider questions about how the completeness of SBOMs output by Syft is perceived. This topic is out of the scope of this issue.
Follow up work
DESCRIBED-BY
an external SBOMThe text was updated successfully, but these errors were encountered: