Create the SBOM_BLOB_URL for v0.2 buildah tasks #1192
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
arewm
force-pushed
the
buildah-sbom-blob-url
branch
6 times, most recently
from
e574bd0 to
552ce13
Compare
chmeliik
reviewed
Jul 25, 2024
There was a problem hiding this comment.
I'm not convinced this solves any immediate issues, since EC also reads the SBOM embedded in the image.
But adding the SBOM_BLOB_URL does sound good to me. Can we also stop injecting the SBOM into the image (maybe bump the version to 0.3 for responsible versioning?)
chmeliik
reviewed
Jul 25, 2024
chmeliik
approved these changes
Jul 25, 2024
arewm
force-pushed
the
buildah-sbom-blob-url
branch
from
552ce13 to
3d3e23c
Compare
arewm
force-pushed
the
buildah-sbom-blob-url
branch
from
3d3e23c to
f2d24c5
Compare
Now that the BASE_IMAGE_DIGESTS result has been removed, there should now be enough room for us to re-add the SBOM_BLOB_URL. This will enable EC verification of the SBOM based on the digest which is recorded in the provenenance. It will prevent supply-chain attacks which are driven by modifying the floating tag of the uploaded SBOM. Even with the referrer's API, the digest can be used to identify which SBOM should be the one built from Konflux. This was added in konflux-ci#645 and then removed in konflux-ci#654 due to the limitation of Tekton results' size. Signed-off-by: arewm <[email protected]>
arewm
force-pushed
the
buildah-sbom-blob-url
branch
from
f2d24c5 to
f0162a8
Compare
For open-source-ness: discussed on internal slack, decided to defer this to a separate change because it could have some implications |
rcerven
approved these changes
Jul 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now that the BASE_IMAGE_DIGESTS result has been removed, there should be enough room for us to re-add the SBOM_BLOB_URL. This will enable EC verification of the SBOM based on the digest which is recorded in the provenenance. It will prevent supply-chain attacks which are driven by modifying the floating tag of the uploaded SBOM.
Even with the referrer's API, the digest can be used to identify which SBOM should be the one built from Konflux.
This was added in #645 and then removed in #654 due to the limitation of Tekton results' size.
Before you complete this pull request ...
Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.