Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

store image annotations inside the SBOM #2267

Closed
noqcks opened this issue Oct 29, 2023 · 3 comments · Fixed by #2294
Closed

store image annotations inside the SBOM #2267

noqcks opened this issue Oct 29, 2023 · 3 comments · Fixed by #2294
Assignees
@wagoodman
Labels
enhancement New feature or request

Comments

@noqcks
Copy link
Contributor

noqcks commented Oct 29, 2023
edited
Loading

What would you like to be added:

I would like to be able to store a container's labels/annotations inside a syft generated SBOM.

For example, the image mongo:4.4 contains these labels/annotations which are set by its base image ubuntu:focal

$ docker inspect mongo:4.4 | jq ".[0].Config.Labels"
{
  "org.opencontainers.image.ref.name": "ubuntu",
  "org.opencontainers.image.version": "20.04"
}

which could be stored inside a CycloneDX SBOM in the properties field like

"properties": [
        {
            "name": "syft:image:annotation:org.opencontainers.image.ref.name", 
            "value": "ubuntu"
        },
        {
            "name": "syft:image:annotation:org.opencontainers.image.version", 
            "value": "20.04"
        }
        ...
 ]

Why is this needed:

It would be nice to see what base image a container is using, as well as other metadata. This solves #1199.
@noqcks noqcks added the enhancement New feature or request label Oct 29, 2023
@noqcks noqcks mentioned this issue Nov 6, 2023
Merged
@wagoodman wagoodman moved this to In Review in OSS Nov 8, 2023
@wagoodman wagoodman self-assigned this Nov 8, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Nov 8, 2023
@Porkepix Porkepix mentioned this issue Nov 9, 2023
Merged
@captn3m0
Copy link

captn3m0 commented Nov 9, 2023

This is a great addition. Thanks @noqcks!

@noqcks noqcks mentioned this issue Nov 9, 2023
Open
@noqcks
Copy link
Contributor Author

noqcks commented Nov 9, 2023

👊 thanks @captn3m0!

@shresthaujjwal
Copy link

Thanks @captn3m0 any idea if we can have labels in spdx too

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@wagoodman wagoodman

Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

include image labels in cycloneDX SBOM noqcks/syft
4 participants
@captn3m0 @wagoodman @noqcks @shresthaujjwal