talos icon indicating copy to clipboard operation
talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

Theme: Talos 1.11 SBOM generation

Open BobyMCbobs opened this issue 2 years ago • 9 comments

End Result

Talos Base

  • attach SPDX file to a Talos release on GitHub
  • attach SPDX as a blob to e.g. siderolabs/imager container (per Talos version)
  • Image Factory to provide SPDX per Talos release

Talos Runtime

  • Provide an API to download SPDX from a running Talos machine (which includes extensions, and covers custom builds).

(This requires SPDX per Talos extension and a way to merge them).

Feature Request

Description

SBOMs are an important way to prove what images and programs are made up of.

They can be generated with

  • https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
  • https://github.com/anchore/syft

then signed and attested with cosign and stored in the container registry as tags https://docs.sigstore.dev/cosign/attestation/

related: https://github.com/siderolabs/talos/issues/7087

keen to hear thoughts!

BobyMCbobs avatar Apr 14 '23 20:04 BobyMCbobs

Yep, I fully agree we should enable the SBOMs, as it should be an easy step. There was some debate internally on whether cosign is a good approach from security perspective, but it should anyways be better than nothing.

smira avatar Apr 18 '23 10:04 smira

In terms of generating the SBOMs, would something like https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md be useful or go version -m <PROGRAM>?

Then the sboms can be attested with

cosign attest --predicate /path/to/sbom-spdx.json ghcr.io/siderolabs/talos:tag -y

BobyMCbobs avatar Apr 19 '23 22:04 BobyMCbobs

SBOM is part of the manifest, so cosign will sign it with the image itself.

We need to propagate SBOMs from pkgs which is something we should look into, but it won't be trivial.

smira avatar Apr 20 '23 13:04 smira

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Jul 04 '24 01:07 github-actions[bot]

This issue was closed because it has been stalled for 7 days with no activity.

github-actions[bot] avatar Jul 09 '24 01:07 github-actions[bot]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Jan 06 '25 02:01 github-actions[bot]

Is this something for 2025?

lucsoft avatar Mar 25 '25 23:03 lucsoft

Is this something for 2025?

quite possibly

smira avatar Mar 26 '25 06:03 smira

Potential path: https://www.docker.com/blog/generate-sboms-with-buildkit/#supplementing-sbo-ms

smira avatar Apr 03 '25 14:04 smira

nice work on the sbom's i see that these are made from syft, would it be possible to also provide cyclonedx files?

lucsoft avatar Aug 12 '25 17:08 lucsoft

nice work on the sbom's i see that these are made from syft, would it be possible to also provide cyclonedx files?

No, we don't plan to provide other formats, but you can convert SPDX files to whatever format works better for you.

smira avatar Aug 12 '25 17:08 smira

@smira yeah im kinda looking for a good workflow that allows that, the official converter from cyclonedx doesn't support SPDX 2.3 yet

lucsoft avatar Aug 12 '25 20:08 lucsoft

@smira yeah im kinda looking for a good workflow that allows that, the official converter from cyclonedx doesn't support SPDX 2.3 yet

I don't have an answer for that, it probably should go to the SPDX/Cyclone community. If we were to convert ourselves we'd hit the same issue.

The scan process is documented here.

smira avatar Aug 13 '25 10:08 smira