cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add support for XML-formatted CycloneDX SBOMs as attestations

Open chaospuppy opened this issue 3 years ago • 4 comments

Description

Currently the cyclonedx option for for the cosign attest --type flag expects to receive a CycloneDX SBOM that is JSON formatted. This was a bit ambiguous, and for some use-cases it could be useful to be able to supply CycloneDX SBOMs in an XML format. Tools such as syft produce XML-formatted CycloneDX SBOMs, so this seems like a useful feature to have overall.

chaospuppy avatar Sep 07 '22 18:09 chaospuppy

@chaospuppy Thanks for opening the issue. We don't have support for that in the attest command. I believe it makes sense to create the attestation and the payload all on the same format (instead of having json and xml). Besides of that, I know Syft produces cyclonedx docs in JSON format.

hectorj2f avatar Sep 09 '22 07:09 hectorj2f

I give it a try to the syft attest command and I also found the cyclonedx xml format is not supported.

 could not produce attestation predicate for given format: ["cyclonedx-xml"]. Available formats: [syft-json spdx-json cyclonedx-json]

hectorj2f avatar Sep 09 '22 07:09 hectorj2f

Hi @hectorj2f I should have been more clear about the syft command I was referencing. syft as of version 0.30.1 will output a CycloneDX SBOM in XML format when running commands similar to the following to generate a CycloneDX SBOM:

[anchore@4d1cb1766ca3 anchore-engine]$ syft docker.io/busybox:latest --scope all-layers -o cyclonedx
New version of syft is available: 0.55.0
 ✔ Parsed image
 ✔ Cataloged packages      [0 packages]
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" version="1" serialNumber="urn:uuid:a22cbcc7-8168-4133-8396-f30dd8a56c9a">
  <metadata>
    <timestamp>2022-09-09T16:18:40Z</timestamp>
    <tools>
      <tool>
        <vendor>anchore</vendor>
        <name>syft</name>
        <version>0.30.1</version>
      </tool>
    </tools>
    <component type="container">
      <name>docker.io/busybox:latest</name>
      <version>sha256:15a3c8a1b44b5ef66f9b4b2e1875b50302d100e116f1d4d5ede71d5ac63177c3</version>
    </component>
  </metadata>
  <components></components>
</bom>

At least up until 0.30.1, XML was the only available output format for CycloneDX SBOM generation with syft.

As of the latest syft version, 0.55.1, syft offers two possible output formats for CycloneDX: cyclonedx-xml and cyclondx-json:

╰─ syft version                                                                            ─╯
Application:        syft
Version:            0.55.0
JsonSchemaVersion:  3.3.2
BuildDate:          2022-08-29T20:03:04Z
GitCommit:          a7966a4d9d8155be788af33fe5e5af2e40043f82
GitDescription:     v0.55.0
Platform:           darwin/arm64
GoVersion:          go1.18.5
Compiler:           gc

╰─ syft --help                                 ─╯
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems
...
  -o, --output stringArray         report output format, options=[syft-json cyclonedx-xml cyclonedx-json github github-json spdx-tag-value spdx-json table text template] (default [table])
...

So it's still possible to generate an XML-formatted SBOM that could later be used as a cosign attestation, if this feature were made available.

chaospuppy avatar Sep 09 '22 16:09 chaospuppy

This isn't a critical add, just a feature of convenience in case only XML CycloneDX SBOMs are available to those looking to add them as attestations.

chaospuppy avatar Sep 09 '22 16:09 chaospuppy