chainloop icon indicating copy to clipboard operation
chainloop copied to clipboard

Published 20 hours ago verified publisher icon chainloop-dev

expose SBOM component in the attestation

Open migmartri opened this issue 1 year ago • 0 comments

We do not add the component for which the SBOM was generated against. This is stored inside the SBOM itself in the component structure (at least in cycloneDX generated by syft)

image

We should expose this information in the material metadata in the attestation so it can be used during attestation-level policies.

Example generated by Syft - controlplane.cyclonedx.json

    "component": {
      "bom-ref": "88a274282e21aefe",
      "type": "container",
      "name": "ghcr.io/chainloop-dev/chainloop/control-plane",
      "version": "v0.96.7"
    }
  }

Example generated by Trivy (note this one also adds a digest)

note that we need to look into the component output for other components, like file

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:f5b4ce1e-fd61-4bf7-95a2-0d8bce01cf8e",
  "version": 1,
  "metadata": {
    "timestamp": "2024-09-12T12:58:52+02:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "grype",
          "version": "0.80.0"
        }
      ]
    },
    "component": {
      "bom-ref": "af63bd4c8601b7f1",
      "type": "file",
      "name": "."
    }
}

migmartri avatar Sep 12 '24 11:09 migmartri