clamav-docker icon indicating copy to clipboard operation
clamav-docker copied to clipboard
verified publisher icon Cisco-Talos

Add OCI image annotations, SLSA provenance, and SBOM attestations

Open candrews opened this issue 1 year ago • 6 comments

Add OCI image annotations to images

These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.

See: https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys

  • https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/
  • https://github.com/renovatebot/renovate/blob/34.115.1/lib/modules/datasource/docker/readme.md

Attach SLSA provenance attestations to images

The provenance attestations include facts about the build process, including details such as:

  • Build timestamps
  • Build parameters and environment
  • Version control metadata
  • Source code details
  • Materials (files, scripts) consumed during the build

See:

  • https://docs.docker.com/build/attestations/slsa-provenance/
  • https://docs.docker.com/build/attestations/slsa-definitions/

Attach SBOM attestations to images

See: https://docs.docker.com/build/attestations/sbom/

candrews avatar Aug 20 '24 16:08 candrews

@micahsnyder can you please take a look whenever you get the chance?

candrews avatar Aug 20 '24 19:08 candrews

Hi Craig! Thanks for this. It looks useful. Either I or someone on my team will review it and get back to you.

val-ms avatar Aug 21 '24 14:08 val-ms

@candrews one quick note -- we forgot to merge https://github.com/Cisco-Talos/clamav-docker/pull/54. We built the 1.4.0 release images based on the approved PR branch, but hadn't merged because of new commit signing requirements. Just fixed that and merged it now.

So for your PR we will at least need to rebase with main and add the change for clamav/1.4 files. Sorry for the extra busy work. I only realized went I saw your PR lacked the 1.4 directory.

val-ms avatar Aug 21 '24 15:08 val-ms

Sorry for the extra busy work.

No worries! I've rebased this MR including adding the changes to 1.4.

candrews avatar Aug 21 '24 16:08 candrews

We also need to update the changes for ClamAV images with the Database.

Current changes only target the base image and not the latest database image.

Changes are required here for each version both alpine and debain images. Update DB script

rsundriyal avatar Sep 12 '24 18:09 rsundriyal

@candrews Did you get a chance to look at @rsundriyal's questions? Also there are some merge conflicts now to resolve.

val-ms avatar Oct 01 '24 18:10 val-ms