Question: SBOM for chiseled Ubuntu images

[neovatar]

I experimented with chisel and liked it, since I was able to create extremely small images based on Ubuntu 22.04.

But I also noticed, that SBOM generators (like https://github.com/anchore/syft) cannot detect packages installed inside the image (since there is no information in /var/lib/dpkg/status*). This will affect a multitude of security scanning tools, that rely on packaging information from dpkg (or apk or others) to detect if an component inside an image is affected by a security CVE.

Are there any plans to include a SBOM or packaging info into chiseled image, so that versions of the installed Ubuntu packages are not obfuscated?

e.g. in the distroless images, the deb packages info and the md5sums are placed into /var/lib/dpkg/status.d/*

[cjdcordeiro]

Hi @neovatar!

The ability to audit chiselled images is a must, indeed.

We are already working on it, so it won't take long ;)

[neovatar]

Thanks @cjdcordeiro - that's good to hear!

Are there any branches yet to see how you'll approach it? Do you want me to keep the question open or close the issue?

[cjdcordeiro]

No branches yet, but please do leave the issue open so you'll get updated when the feature arrives.

[loewenstein]

Is there any update on this? I agree that this is a must have.

[cjdcordeiro]

Hi @loewenstein ,

the feature is being proposed by a series of PRs (like this). We refer to the capability as the "Chisel DB". Once it is merged, then we'll have sufficient data for scanning tools to be able to generate SBOMs and vuln reports (though the support for the Chisel DB will still have to reach these scanning tools)

[loewenstein]

though the support for the Chisel DB will still have to reach these scanning tools

Why wait for scanning tools to adapt to Chisel, I could imagine this taking a while - depending on Chisel adoption of course.
I would like to additionally see Chisel itself providing an SBOM in one of the standard formats (like CyclonDX or SPDX). If that's available on the image, then Anchor's Syft will even pick it up.

[cjdcordeiro]

Having Chisel itself create the SBOM isn't planned for implementation in the near future I'm afraid. The Chisel DB will be the source of truth for additional tooling to create said SBOMs and our priority will be to collaborate with popular 3rd tools to get them to support this new format.

[robertk3s]

@cjdcordeiro If Chisel DB is intended to be added, can you give an outlook when to expect it being added to chisel (I haven't found it)? Also, is there a documentation on it? It would be great to know how the format looks like (it was supposed to be a file, right?) and what content to expect.
Thnx

[cjdcordeiro]

Hi @robertk3s . once #131 we should be one PR away from landing it. The final format will be a zstd compressed "jsonwall" file. This "jsonwall" format will be documented in the project's README for now (while we work on centralized docs) and you should expect it to be json compliant.