Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Rake task for building SBOM files #4356

Closed
wants to merge 2 commits into from
Closed

Conversation

cosmo0920
Copy link
Contributor

@cosmo0920 cosmo0920 commented Dec 4, 2023

Which issue(s) this PR fixes:
Related to fluent/fluentd-docs-gitbook#481.

What this PR does / why we need it:
To provide machine friendly license information, we should provide SBOM files which is able to handled by Trivy or other security tools.
Currently, two of the SBOM types are existing. One is containing for SPDX license information. The other is CycloneDX format.

This added rake task can be executed as:

$ SBOM_VERSION=1.16.3 bundle exec rake sbom 

This is because Fluentd v1.16.3 is diverged from the current master. So, we need to specify that version if we generate its version of SBOM files.

Docs Changes:

Needed but where we should mention it?

Release Note:
Same as a title.

Verified

This commit was signed with the committer’s verified signature.
cosmo0920 Hiroshi Hatake
Signed-off-by: Hiroshi Hatake <[email protected]>

Verified

This commit was signed with the committer’s verified signature.
cosmo0920 Hiroshi Hatake
Signed-off-by: Hiroshi Hatake <[email protected]>
@cosmo0920 cosmo0920 self-assigned this Dec 4, 2023
@cosmo0920 cosmo0920 requested review from ashie, kenhys and daipom December 4, 2023 04:59
task :sbom do
require 'fluent/version'
version = ENV["SBOM_VERSION"] || Fluent::VERSION
sh "docker sbom fluent/fluentd:v#{version}-debian-amd64-1.0 --output licenses/fluentd-latest.spdx.json --format spdx-json"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it use specific version of sbom plugin?
https://github.com/docker/sbom-cli-plugin

I've locally executed, it seems outcome is bit different.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just using with sbom subcommand which is included in Docker Desktop 4.24.2 (124339).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the generated SBOM files are not comfortable for y'all, I'll remove the commit 8cb884f from this PR. What do you think?

Copy link
Contributor

@kenhys kenhys Dec 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cosmo0920

Basically, it is good thing to provide SBOM, but I'm not sure it should be managed in fluent/fluentd.

By the way, how about using result of tags?

`curl --silent https://hub.docker.com/v2/namespaces/fluent/repositories/fluentd/tags  | jq --raw-output '.results[] | select (.name | startswith("#{version}-debian-amd64-1.")) | .name'`
v1.16.3-debian-amd64-1.0

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, it's really good. And I agree to put SBOMs in fluent/fluent-docker-image instead of here.
Or, like as pixie, we need to implement SBOM like auto generated files in the future.
https://github.com/pixie-io/pixie/tree/main/tools/licenses

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants