feat(cyclonedx): Include sbom main component info for Trivy #1991
Conversation
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
| for _, prop := range component.Properties { | ||
| if prop.Name == aquaTrivyRepoDigestPropertyKey { | ||
| if parts := strings.Split(prop.Value, "sha256:"); len(parts) > 1 { | ||
| component.Version = fmt.Sprintf("sha256:%s", parts[1]) |
There was a problem hiding this comment.
Is this solving only the version or the info about the main component as well?
There was a problem hiding this comment.
This solves the issue of CYCLONEDX files from Trivy where the version was not being included, the sbom was generated by Trivy:
$ trivy image ghcr.io/chainloop-dev/chainloop/cli:latest --output sbom.json --format cyclonedx
$ chainloop wf run describe --id 866b750c-80e2-422e-ad09-1f4db049d9b8 -o statement | jq '.predicate.materials.[].annotations'
{
"chainloop.material.cas.inline": true,
"chainloop.material.name": "material-1744782814076087000",
"chainloop.material.sbom.main_component.name": "ghcr.io/chainloop-dev/chainloop/cli",
"chainloop.material.sbom.main_component.type": "container",
"chainloop.material.sbom.main_component.version": "sha256:bbfd27fcdb15c8082951dc59be2310a2a2e6b95e11002f8411e5918887faa607",
"chainloop.material.type": "SBOM_CYCLONEDX_JSON"
}
Keep in mind the information about the main component is not required in the CycloneDX specification is not required so it might be cases where the information is not populated and tools can behave differently.
This is an example of Trivy scanning the local system:
$ trivy filesystem ./app/cli --output sbom.json --format cyclonedx
$ chainloop wf run describe --id af935022-4a2c-4043-a2de-abd3431ed504 -o statement | jq '.predicate.materials.[].annotations'
WRN API contacted in insecure mode
{
"chainloop.material.cas.inline": true,
"chainloop.material.name": "material-1744784071174128000",
"chainloop.material.sbom.main_component.name": "app/cli",
"chainloop.material.sbom.main_component.type": "application",
"chainloop.material.sbom.main_component.version": "",
"chainloop.material.type": "SBOM_CYCLONEDX_JSON"
}
And this is syft:
$ syft scan ./app/cli --output cyclonedx-json > sbom.json
$ chainloop wf run describe --id 2c320286-f088-46f8-9095-3576be6b3c0b -o statement | jq '.predicate.materials.[].annotations'
WRN API contacted in insecure mode
{
"chainloop.material.cas.inline": true,
"chainloop.material.name": "material-1744784201547639000",
"chainloop.material.sbom.main_component.name": "./app/cli",
"chainloop.material.sbom.main_component.type": "file",
"chainloop.material.sbom.main_component.version": "",
"chainloop.material.type": "SBOM_CYCLONEDX_JSON"
}
There was a problem hiding this comment.
On the tests that I've run (container, and filesystem), the main component information was populated. Do you have a way to reproduce the one that was not being added?
There was a problem hiding this comment.
Ok I found an example, having a look, it seems there is another thing involved.
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
|
Fixed reference parsing when using a CycloneDX SBOM generated by Trivy, which included the full repository reference with tag or digest, causing a parsing error. It now works as expected: |
No, it's updated in the following commit: 5d0c865, I've updated the comment as well. |
This pull request includes changes to the
pkg/attestation/crafter/materials/cyclonedxjson.gofile to enhance the extraction of the main component's version from properties and to refactor constant definitions.Enhancements to version extraction:
Propertiesfield to thecomponentstructure to capture additional metadata.aquaTrivyRepoDigestPropertyKeyproperty if the version field is empty.Ref: #1988