Generate SBOM for the oci-builder

docker-library · Jun 7, 2024 · 6380a92 · 6380a92
1 parent a32081e
commit 6380a92
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 2 deletions.
diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
@@ -137,6 +137,28 @@ jq -s '
 	)
 ' temp/index.json > temp/index.json.new
 mv temp/index.json.new temp/index.json
+SOURCE_DATE_EPOCH=1709081058 \
+	docker buildx build --progress=plain \
+	--provenance=false \
+	--build-context "base:latest=oci-layout://$PWD/temp/@$(jq -r '.manifests[0].digest' index.json)" \
+	--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
+	--output 'type=oci,tar=false,dest=temp_sbom/' \
+	- <<<'FROM base'
+newIndexDigest="$(jq -r '.manifests[0].digest | sub("sha256:";"")' temp_sbom/index.json)"
+sbomManifestDigest="$(jq -r '.manifests[] | select(.platform.os == "unknown").digest | sub("sha256:";"")' temp_sbom/blobs/sha256/$newIndexDigest)"
+sbomDigest="$(jq -r '.layers[0].digest | sub("sha256:";"")' temp_sbom/blobs/sha256/$sbomManifestDigest)"
+cp temp_sbom/blobs/sha256/$sbomDigest temp/blobs/sha256
+cp temp_sbom/blobs/sha256/$sbomManifestDigest temp/blobs/sha256
+cat <<< $( \
+	jq -r \
+	--argjson manifest "$sbomManifest" \
+	'
+		.manifests[0].digest as $digest |
+		.manifests[.manifests | length] |= . + $manifest |
+		.manifests[1].annotations["vnd.docker.reference.digest"] = $digest
+		' \
+	temp/index.json \
+) > temp/index.json
 # </build>
 # <push>
 crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'

diff --git a/meta.jq b/meta.jq
@@ -26,6 +26,9 @@ def normalize_ref_to_docker:
 	ltrimstr("docker.io/")
 	| ltrimstr("library/")
 ;
+def digest_to_blob:
+	@sh "sub(\"sha256:\";\"\")"
+;
 # input: "build" object (with "buildId" top level key)
 # output: string "pull command" ("docker pull ..."), may be multiple lines, expects to run in Bash with "set -Eeuo pipefail", might be empty
 def pull_command:
@@ -319,8 +322,50 @@ def build_command:
 
 			# TODO consider / check what "crane validate" does and if it would be appropriate here
 
-			# TODO generate SBOM? ... somehow
-
+			(
+				[
+					# Generate SBOM
+					@sh "SOURCE_DATE_EPOCH=\(.source.entry.SOURCE_DATE_EPOCH)",
+					"docker buildx build --progress=plain",
+					"--provenance=false",
+					"--build-context \"base:latest=oci-layout://$PWD/temp/@$(jq -r '.manifests[0].digest' index.json)\"",
+					"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\"",
+					"--output 'type=oci,tar=false,dest=temp_sbom/'",
+					"- <<<'FROM base'",
+					empty
+				] | join(" \\\n\t")
+			),
+			@sh "newIndexDigest=\"$(jq -r '.manifests[0].digest | " + digest_to_blob + "' temp/index.json)\"",
+			@sh "sbomManifestDigest=\"$(jq -r '.manifests[] | select(.platform.os == \"unknown\").digest | " + digest_to_blob + "' temp_sbom/blobs/sha256/$newIndexDigest)\"",
+			@sh "sbomManifest=\"$(jq -r --arg digest \"sha256:$sbomManifestDigest\" '.manifests[] | select(.digest == $digest)' temp_sbom/blobs/sha256/$newIndexDigest)\"",
+			@sh "sbomDigest=\"$(jq -r '.layers[0].digest | " + digest_to_blob + "' temp_sbom/blobs/sha256/$sbomManifestDigest)\"",
+			"cp temp_sbom/blobs/sha256/$sbomDigest temp/blobs/sha256",
+			"cp temp_sbom/blobs/sha256/$sbomManifestDigest temp/blobs/sha256",
+			(
+				[
+					"cat <<< $(",
+					(
+						[
+							"\tjq -r",
+							@sh "--argjson manifest \"$sbomManifest\"",
+							(
+								[
+									"'",
+									".manifests[0].digest as $digest |",
+									".manifests[.manifests | length] |= . + $manifest |",
+									".manifests[1].annotations[\"vnd.docker.reference.digest\"] = $digest",
+									"'",
+									empty
+								] | join("\n\t\t")
+							),
+							"temp/index.json",
+							empty
+						] | join(" \\\n\t")
+					),
+					") > temp/index.json",
+					empty
+				] | join(" \\\n")
+			),
 			empty
 		] | join("\n")
 	else