ko
ko copied to clipboard
Published
20 hours ago •
ko-build
ko-build
Generate SPDX SBOMs in JSON form
This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I found this recently - quay.io doesn't always support spdx+json media types - it fails if ko pushes to a sub-repository (example: quay.io/adambkaplan/hello-world/cmd-md5hash). Quay does support text/spdx+json.
Error: error processing import paths in "-": error resolving image references: writing sbom: PUT https://quay.io/v2/adambkaplan/tekton-results/watcher-83f971ea227fb24157c0c699b824a628/manifests/sha256-0a97f730361efd5ea6ef17f0365af63e25d2a2be55080c91998fce0f4303ecc4.sbom: MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'spdx+json' is not one of ['application/vnd.oci.image.layer.v1.tar', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+zstd', 'application/vnd.oci.image.layer.nondistributable.v1.tar', 'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip', 'application/vnd.dev.cosign.simplesigning.v1+json', 'application/vnd.dsse.envelope.v1+json', 'text/spdx', 'text/spdx+xml', 'text/spdx+json', 'application/vnd.syft+json', 'application/vnd.cyclonedx', 'application/vnd.cyclonedx+xml', 'application/vnd.cyclonedx+json', 'application/vnd.in-toto+json', 'application/tar+gzip', 'application/vnd.cncf.helm.chart.content.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego', 'application/vnd.cncf.openpolicyagent.data.layer.v1+json']
Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
{'description': 'The MIME type of the referenced manifest',
'enum': ['application/vnd.oci.image.layer.v1.tar',
'application/vnd.oci.image.layer.v1.tar+gzip',
'application/vnd.oci.image.layer.v1.tar+zstd',
'application/vnd.oci.image.layer.nondistributable.v1.tar',
'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip',
'application/vnd.dev.cosign.simplesigning.v1+json',
'application/vnd.dsse.envelope.v1+json',
'text/spdx',
'text/spdx+xml',
'text/spdx+json',
'application/vnd.syft+json',
'application/vnd.cyclonedx',
'application/vnd.cyclonedx+xml',
'application/vnd.cyclonedx+json',
'application/vnd.in-toto+json',
'application/tar+gzip',
'application/vnd.cncf.helm.chart.content.v1.tar+gzip',
'application/vnd.oci.image.layer.v1.tar+gzip',
'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego',
'application/vnd.cncf.openpolicyagent.data.layer.v1+json'],
'type': 'string'}
On instance['layers'][0]['mediaType']:
'spdx+json']
2023/02/01 16:06:07 error during command execution:error processing import paths in "-": error resolving image references: writing sbom: PUT https://quay.io/v2/adambkaplan/tekton-results/watcher-83f971ea227fb24157c0c699b824a628/manifests/sha256-0a97f730361efd5ea6ef17f0365af63e25d2a2be55080c91998fce0f4303ecc4.sbom: MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'spdx+json' is not one of ['application/vnd.oci.image.layer.v1.tar', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+zstd', 'application/vnd.oci.image.layer.nondistributable.v1.tar', 'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip', 'application/vnd.dev.cosign.simplesigning.v1+json', 'application/vnd.dsse.envelope.v1+json', 'text/spdx', 'text/spdx+xml', 'text/spdx+json', 'application/vnd.syft+json', 'application/vnd.cyclonedx', 'application/vnd.cyclonedx+xml', 'application/vnd.cyclonedx+json', 'application/vnd.in-toto+json', 'application/tar+gzip', 'application/vnd.cncf.helm.chart.content.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego', 'application/vnd.cncf.openpolicyagent.data.layer.v1+json']
Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
{'description': 'The MIME type of the referenced manifest',
'enum': ['application/vnd.oci.image.layer.v1.tar',
'application/vnd.oci.image.layer.v1.tar+gzip',
'application/vnd.oci.image.layer.v1.tar+zstd',
'application/vnd.oci.image.layer.nondistributable.v1.tar',
'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip',
'application/vnd.dev.cosign.simplesigning.v1+json',
'application/vnd.dsse.envelope.v1+json',
'text/spdx',
'text/spdx+xml',
'text/spdx+json',
'application/vnd.syft+json',
'application/vnd.cyclonedx',
'application/vnd.cyclonedx+xml',
'application/vnd.cyclonedx+json',
'application/vnd.in-toto+json',
'application/tar+gzip',
'application/vnd.cncf.helm.chart.content.v1.tar+gzip',
'application/vnd.oci.image.layer.v1.tar+gzip',
'application/vnd.cncf.openpolicyagent.policy.layer.v1+rego',
'application/vnd.cncf.openpolicyagent.data.layer.v1+json'],
'type': 'string'}
On instance['layers'][0]['mediaType']:
'spdx+json']
cc @dmesser
@adambkaplan easy to add though. We are also planning to drop the mediaType filtering in accordance with OCI.
FWIW, Quay is tracking that here: https://issues.redhat.com/browse/PROJQUAY-5029
This issue is closed actually, since we're generating SPDX SBOMs in JSON (or "SPDXSBOMiJSON" for short 🙃 )
The issue that SBOMs are pushed with spdx+json was fixed in cosign and picked up by ko in https://github.com/ko-build/ko/pull/933, but it's not released yet.