Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OCI image annotations, SLSA provenance, and SBOM attestations #55

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add OCI image annotations, SLSA provenance, and SBOM attestations #55

wants to merge 3 commits into from

Conversation

candrews
Copy link

Add OCI image annotations to images

These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.

See:
https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys

Attach SLSA provenance attestations to images

The provenance attestations include facts about the build process, including details such as:

  • Build timestamps
  • Build parameters and environment
  • Version control metadata
  • Source code details
  • Materials (files, scripts) consumed during the build

See:

Attach SBOM attestations to images

See: https://docs.docker.com/build/attestations/sbom/

@candrews
Copy link
Author

@micahsnyder can you please take a look whenever you get the chance?

@micahsnyder
Copy link
Collaborator

Hi Craig! Thanks for this. It looks useful. Either I or someone on my team will review it and get back to you.

@micahsnyder
Copy link
Collaborator

@candrews one quick note -- we forgot to merge #54. We built the 1.4.0 release images based on the approved PR branch, but hadn't merged because of new commit signing requirements. Just fixed that and merged it now.

So for your PR we will at least need to rebase with main and add the change for clamav/1.4 files. Sorry for the extra busy work. I only realized went I saw your PR lacked the 1.4 directory.

@candrews
Add OCI image annotations to images
824dafd 
These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.

See:
* https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
* https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/
* https://github.com/renovatebot/renovate/blob/34.115.1/lib/modules/datasource/docker/readme.md
@candrews
Attach SLSA provenance attestations to images
d7c2c91 
The provenance attestations include facts about the build process, including details such as:
* Build timestamps
* Build parameters and environment
* Version control metadata
* Source code details
* Materials (files, scripts) consumed during the build

See:
* https://docs.docker.com/build/attestations/slsa-provenance/
* https://docs.docker.com/build/attestations/slsa-definitions/
@candrews
Attach SBOM attestations to images
0fc4446 
See: https://docs.docker.com/build/attestations/sbom/
@candrews
Copy link
Author

Sorry for the extra busy work.

No worries! I've rebased this MR including adding the changes to 1.4.

@rsundriyal rsundriyal self-requested a review August 27, 2024 13:33
@micahsnyder micahsnyder mentioned this pull request Aug 29, 2024
Open
rsundriyal
rsundriyal reviewed Sep 12, 2024
View reviewed changes
clamav-bytecode-compiler/1.4/ubuntu/Jenkinsfile
@@ -71,7 +71,7 @@ node('docker') {

// Build X.Y.Z-R image
sh """
docker build --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" .
docker build --sbom=true --provenance mode=max,builder-id="${BUILD_URL}" --annotation "org.opencontainers.image.url=${params.REPOSITORY}" --annotation "org.opencontainers.image.source=${params.REPOSITORY}" --annotation "org.opencontainers.image.version=${params.FULL_VERSION}" --annotation "org.opencontainers.image.ref.name=${params.BRANCH}" --annotation "org.opencontainers.image.created=$(date -Iseconds)" --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" .
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docker build --sbom=true --provenance mode=max,builder-id="${BUILD_URL}" --annotation "org.opencontainers.image.url=${params.REPOSITORY}" --annotation "org.opencontainers.image.source=${params.REPOSITORY}" --annotation "org.opencontainers.image.version=${params.FULL_VERSION}" --annotation "org.opencontainers.image.ref.name=${params.BRANCH}" --annotation "org.opencontainers.image.created=$(date -Iseconds)" --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" .
docker build --sbom=true --provenance mode=max,builder-id='${BUILD_URL}' --annotation 'org.opencontainers.image.url=${params.REPOSITORY}' --annotation 'org.opencontainers.image.source=${params.REPOSITORY}' --annotation 'org.opencontainers.image.version=${params.FULL_VERSION}' --annotation 'org.opencontainers.image.ref.name=${params.BRANCH}' --annotation 'org.opencontainers.image.created=$(date -Iseconds)' --no-cache --tag '${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}' .

Similar changes need to be done in other places.

Failure - Failed to interpolate annotation strings.

I have tested the suggested strings and it works fine. I will further check the image for expected changes and will verify them.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this change is correct.

Currently, --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" is present (with double quotes) and working:

clamav-docker/clamav-bytecode-compiler/1.4/ubuntu/Jenkinsfile

Line 74 in fdb02aa

docker build --no-cache --tag "${params.IMAGE_NAME}:${params.FULL_VERSION}-${BUILD_NUMBER}" .

Yet you're saying that that line needs the double quotes changed to singles. If doubles are working now, why change to singles?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @candrews

Thanks for asking the question.

"org.opencontainers.image.created=$(date -Iseconds)"
This is failing to be interpolated by Jenkins Groovy. This should be in single quotes so that only shell can interpolate it and not the Jenkins.

Ideally, there should be a clear demarcation of what is being interpolated by groovy and shell. I will make the changes to it once your changes are merged.

Also,
--annotation org.opencontainers.image.created="$(date -Iseconds)" - We can do this as well to escape the "$" too to be interpolated by Groovy.

To be consistent, I prefer to use single quotes.

Let me know if it makes sense.

Thanks

@rsundriyal
Copy link
Contributor

We also need to update the changes for ClamAV images with the Database.

Current changes only target the base image and not the latest database image.

Changes are required here for each version both alpine and debain images. Update DB script

rsundriyal
rsundriyal requested changes Sep 12, 2024
View reviewed changes
Copy link
Contributor

@rsundriyal rsundriyal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Fix string interpolation.
  • Update changes for the latest DB images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rsundriyal rsundriyal rsundriyal requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@candrews @micahsnyder @rsundriyal