oras icon indicating copy to clipboard operation
oras copied to clipboard

Published 20 hours ago verified publisher icon oras-project

Failed to attach a SBOM json to the image in Docker Hub

Open FeynmanZhou opened this issue 2 years ago • 7 comments

I generated an SBOM JSON file using SBOM Tool and then attached it to the docker image in Docker Hub, but it returns error code 400 as follows, is anything not supported by the Docker Hub server side, or is something wrong in my SBOM file?

$ oras attach registry-1.docker.io/pengfeizhou/spark2.4:1.0.0 manifest.spdx.json --artifact-type example/sbom
Uploading 97a5dc071dd1 manifest.spdx.json
Uploaded  97a5dc071dd1 manifest.spdx.json
Error: PUT "https://registry-1.docker.io/v2/pengfeizhou/spark2.4/manifests/sha256:5ed6455151b90a036a7cff0b96c4ff00777284a5f1a4c3a38d8c5825bfbc6018": unexpected status code 400: manifest invalid: manifest invalid

See the reproduced steps from this PR if needed.

FeynmanZhou avatar Sep 13 '22 00:09 FeynmanZhou

It has nothing to do with SBOM. oras attach will generate an oras artifact manifest, which is not supported by docker registry.

qweeah avatar Sep 13 '22 02:09 qweeah

@junczhu Could you help verifying if Docker Hub support OCI image manifest.

shizhMSFT avatar Sep 13 '22 03:09 shizhMSFT

@junczhu Could you help verifying if Docker Hub support OCI image manfiest.

Sure

junczhu avatar Sep 13 '22 03:09 junczhu

If it supports OCI image manifest, could you try to push a manifest with a refers field?

shizhMSFT avatar Sep 13 '22 03:09 shizhMSFT

If it supports OCI image manifest, could you try to push a manifest with a refers field?

@shizhMSFT Based on my test, Docker Hub supports OCI image manifest and we can push a manifest with a refers field.

image

After update the manifest, I am still available to pull the image from Docker Hub with docker CLI Besides, refers field can be add to docker image manifest("application/vnd.docker.distribution.manifest.v2+json") as well.

/cc @FeynmanZhou @qweeah

Reference: OCI Image Manifest Spec Docker Registry API oras-go: PushReference

junczhu avatar Sep 14 '22 05:09 junczhu

@junczhu Does Docker Hub support arbitrary media types for config and layers?

shizhMSFT avatar Sep 14 '22 06:09 shizhMSFT

@shizhMSFT Docker Hub supports arbitrary media types for layers. And based on my test, config media type should match the manifest media type.

eg.

{
"schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1457,
      "digest": ""
   },
   ...   
}

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "size": 7023,
    "digest": ""
  },
  ...
}

junczhu avatar Sep 14 '22 06:09 junczhu

We still need to test this case with oras attach to attach artifacts to Docker Hub against the OCI artifact support feature announced by Docker Hub using ORAS CLI 0.16.

FeynmanZhou avatar Nov 01 '22 07:11 FeynmanZhou

I think even attach might have an issue until Docker supports the subject property in an image manifest. I think oras CLI might need a way to skip putting the subject in case put comes back with an Invalid manifest for image manifest push. but continue updating the index update @shizhMSFT

sajayantony avatar Nov 01 '22 07:11 sajayantony

Linking #666

shizhMSFT avatar Nov 01 '22 15:11 shizhMSFT

Closing since Docker Hub does not support subject field in the OCI image manifest

shizhMSFT avatar Mar 22 '23 10:03 shizhMSFT