-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM cant access path /run/src/core/sbom/proc/mounts
#972
Comments
I don't see any error but a warning message:
Which can be expected in some cases iirc and SBOM seems generated. WDYT @jedevc? You can use the following to check if the SBOM has been pushed:
|
The SBOM has not been pushed. We are storing these images on Google Artifact Registry so from my understanding it's OCI compliant and should work See below the output of [
{
"Id": "5754f5ac8aa431aceff4a251e8ab57626b98b7694566acb171c9b76834be8e50",
"Digest": "sha256:5e58b7ef8acee15b40283665b9d14e053caf6fad9b1b6bf2de337c3ad0e2a479",
"RepoTags": [
"europe-west2-docker.pkg.dev/redacted/devops/kubectl:redacted-SBOM-679d795"
],
"RepoDigests": [
"europe-west2-docker.pkg.dev/redacted/devops/kubectl@sha256:5e58b7ef8acee15b40283665b9d14e053caf6fad9b1b6bf2de337c3ad0e2a479"
],
"Parent": "",
"Comment": "",
"Created": "2023-09-26T11:23:54.798248952Z",
"Config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Entrypoint": [
"kubectl"
],
"Labels": {
"org.opencontainers.image.authors": "Bradley Stannard <bstannard@redacted>",
"org.opencontainers.image.description": "A Docker image for Kubectl",
"org.opencontainers.image.source": "https://console.cloud.google.com/artifacts/docker/redacted/europe-west2/containers/alpine/sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1",
"org.opencontainers.image.title": "Kubectl",
"org.opencontainers.image.url": "https://console.cloud.google.com/artifacts/docker/redacted/europe-west2/devops/kubectl",
"org.opencontainers.image.vendor": "redacted"
}
},
"Version": "",
"Author": "",
"Architecture": "amd64",
"Os": "linux",
"Size": 113702252,
"VirtualSize": 113702252,
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/var/home/core/.local/share/containers/storage/overlay/e7c38ecd945094d78ee7660a1f1e04065834c4fb7c93aacaa825756da9475651/diff:/var/home/core/.local/share/containers/storage/overlay/d67bde0e0c2971d0f5852513decf3a520dd159677278ec69d5528c7b3987e7f8/diff:/var/home/core/.local/share/containers/storage/overlay/90bf2a5dc20f16e4ff1d2324fa2ab807341c56b8bc6aab33ecfb9870eb884a75/diff:/var/home/core/.local/share/containers/storage/overlay/34cb033f741e4e71808d56ce446190e099d089e8ce49be2f831fa3e3c4ed3075/diff:/var/home/core/.local/share/containers/storage/overlay/78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/diff",
"UpperDir": "/var/home/core/.local/share/containers/storage/overlay/fce4463482c007efb972ca149f5183eda1147425c70d31b192660a7455ed7e07/diff",
"WorkDir": "/var/home/core/.local/share/containers/storage/overlay/fce4463482c007efb972ca149f5183eda1147425c70d31b192660a7455ed7e07/work"
}
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c",
"sha256:a78be1e5214c8c177ee0874df2b724bee317b40283757f1a9e594a6bd66269c6",
"sha256:f0e8887c8457b8eb8d240540592a940a0cc7c101891dd0c335e0e72be117958a",
"sha256:b8f12c0c55aa98a84f6a3149b10c0f0b455c96fdbd7d7f2c3df93ef540012349",
"sha256:ff3592532c11dc1494243f79aa105dfd73f33380afd6c2f07dd6bb84075ceaa6",
"sha256:26b787cf878daf4480d603986ca1c5d2c04a35a11c4bf4f7d163d218fc000d95"
]
},
"Labels": {
"org.opencontainers.image.authors": "Bradley Stannard <bstannard@redacted>",
"org.opencontainers.image.description": "A Docker image for Kubectl",
"org.opencontainers.image.source": "https://console.cloud.google.com/artifacts/docker/redacted/europe-west2/containers/alpine/sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1",
"org.opencontainers.image.title": "Kubectl",
"org.opencontainers.image.url": "https://console.cloud.google.com/artifacts/docker/redacted/europe-west2/devops/kubectl",
"org.opencontainers.image.vendor": "redacted"
},
"Annotations": {},
"ManifestType": "application/vnd.docker.distribution.manifest.v2+json",
"User": "",
"History": [
{
"created": "2023-06-14T20:41:58.950178204Z",
"created_by": "/bin/sh -c #(nop) ADD file:1da756d12551a0e3e793e02ef87432d69d4968937bd11bed0af215db19dd94cd in / "
},
{
"created": "2023-06-14T20:41:59.079795125Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "LABEL org.opencontainers.image.title=Kubectl",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "LABEL org.opencontainers.image.description=A Docker image for Kubectl",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "LABEL org.opencontainers.image.authors=Bradley Stannard <bstannard@redacted>",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "LABEL org.opencontainers.image.vendor=redacted",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "LABEL org.opencontainers.image.url=https://console.cloud.google.com/artifacts/docker/redacted/europe-west2/devops/kubectl",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "LABEL org.opencontainers.image.source=https://console.cloud.google.com/artifacts/docker/redacted/europe-west2/containers/alpine/sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2023-09-26T11:23:52.803052098Z",
"created_by": "RUN /bin/sh -c apk add curl # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-09-26T11:23:53.814576301Z",
"created_by": "RUN /bin/sh -c curl -LO \"https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\" # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-09-26T11:23:54.032447911Z",
"created_by": "RUN /bin/sh -c rm -rf /var/cache/apk/* # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-09-26T11:23:54.439080576Z",
"created_by": "RUN /bin/sh -c install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-09-26T11:23:54.798248952Z",
"created_by": "RUN /bin/sh -c rm /kubectl # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-09-26T11:23:54.798248952Z",
"created_by": "ENTRYPOINT [\"kubectl\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
}
],
"NamesHistory": [
"europe-west2-docker.pkg.dev/redacted/devops/kubectl:redacted-SBOM-679d795"
]
}
] |
I will have a colleague run it on their Docker and see what comes back just to be double sure |
Yeah I've had my colleague run it and they've got back {} |
Hm that's odd. I don't think this warning is expected - not quite sure what it's from. That said: This should error: docker/buildx#1988. @crazy-max can we release this into v0.11.3? It seems like quite a few people have been caught out by it. |
Oh right I see why, you need to use the Edit: Ah @jedevc beat me to it 🎉 |
See below addition to the Action file - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 Buildx
Running inspect again and there does not seem to be SBOM but the
Not sure if I have some whack config going on here. Do we know if there is a working example in the wild I can copy from? We just want to get SBOM and See below the workflow logs
|
What do you mean by
? Can you also try with:
Also check if you have the latest buildx version before using this command ( |
@elsmorian Related to #979, can you show the output of:
|
I've been getting slightly different messages, but I never thought much of it
I guess it's not expected? You can see the run here: |
@crazy-max I actually solved this, but the tooling around this could be a little more kind I think! I had assumed that Even if you build an image with an SBOM, Provenance etc, those keys will not show up unless you explicitly ask for them in that format query eg. This took a fair few hours to find out! |
Yes we have one here: build-push-action/.github/workflows/ci.yml Lines 631 to 688 in fdf7f43
Oh it should actually, that might be a regression. I will look into it. |
Ah, I had been looking for something like this. I have a similar issue. You can see a bit of run output here. I know that when I run it locally, I get the index with 4 manifests: 1 each for linux/amd64 and linux/arm64, and 1 each for the attestations for those. In Actions, I get those warnings and the attestations are missing. As for builder version, I am running this in a tool that ensures it runs via Why would it fail (and with just warnings) in GHA? |
@elsmorian We have updated our docs related to the inspect format (docker/buildx#2122), see https://docs.docker.com/engine/reference/commandline/buildx_imagetools_inspect/. To output the SBOM use:
Also added extra jobs in our workflow to check this behavior: #1005. See for example https://github.com/docker/build-push-action/actions/runs/6942189435/job/18884628164#step:6:1
I don't see any usage of the build-push-action in this workflow.
I'm not quite sure about this warning. As @jedevc said it's not expected. @deitch I just released an RC of the buildkit syft scanner image: https://github.com/docker/buildkit-syft-scanner/releases/tag/v1.3.0-rc.1 Can you try with: With build-push-action: attests: type=sbom,generator=docker/buildkit-syft-scanner:1.3.0-rc.1 |
Actually, I think the error in my case might have been mine. Sorry for the confusion. 🤦♂️ |
@crazy-max Aha, thanks for clarifying that! |
Ok I was only able to repro on public Ubuntu GitHub Runners with latest stable of buildkit-syft-scanner: https://github.com/docker/build-push-action/actions/runs/6955717600/job/18925090210#step:5:224
I couldn't repro with
This is just a warning and should not have an impact to compute the SBOM. Will open an issue on upstream repo to see if this can be fixed before 1.3.0 GA of the scanner. |
Opened docker/buildkit-syft-scanner#80. Closing this issue since the warning should not have any incidence on generating the SBOM per our repro: https://github.com/docker/build-push-action/actions/runs/6942189435/job/18884628164#step:6:1 |
Contributing guidelines
I've found a bug, and:
Description
When using the below config in my Docker build for the workflow, I get the below error
Error
Expected behaviour
Docker builds the image, generates the SBOM and then pushes the image with the attached SBOM data in the manifest for the container
Actual behaviour
SBOM would be generated and no error would be found
Repository URL
No response
Workflow run URL
No response
YAML workflow
Workflow logs
BuildKit logs
Additional info
The text was updated successfully, but these errors were encountered: