Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate purls from read sources #69

Merged
merged 8 commits into from
Mar 8, 2022
Merged

Generate purls from read sources #69

merged 8 commits into from
Mar 8, 2022

Conversation

puerco
Copy link
Member

@puerco puerco commented Mar 8, 2022

What type of PR is this?

/kind feature

What this PR does / why we need it:

bom will now annotate system packages, golang dependencies and OCI images (in a registry) with a package URL. Reading this annotation makes it easier to detect what kind of source the spdx package is describing.

Having purls in all artifacts will now allow answering questions like Does this SBOM describe an image?, do we have golang dependency information? what about the system packages in this image?

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Sample run:

go run cmd/bom/main.go generate --image=nginx | grep purl

ExternalRef: PACKAGE-MANAGER purl pkg:oci/nginx@sha256:1c13bc6de5dfca749c377974146ac05256791ca2fe1979fc8e8278bf0121d285?repository_url=index.docker.io%2Flibrary&tag=nginx
ExternalRef: PACKAGE-MANAGER purl pkg:oci/nginx@sha256:2468d48e476b6a079eb646e87620f96ce1818ac0c5b3a8450532cea64b3421f4?arch=amd64&repository_url=index.docker.io%2Flibrary
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/adduser@3.118?arch=all
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/apt@2.2.4?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/base-files@11.1+deb11u2?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/base-passwd@3.5.51?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/bash@5.1-2+b3?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/bsdutils@1:2.36.1-8+deb11u1?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/ca-certificates@20210119?arch=all
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/coreutils@8.32-4+b1?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/curl@7.74.0-1.3+deb11u1?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/dash@0.5.11+git20200708+dd9ef66-5?arch=amd64
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/debconf@1.5.77?arch=all
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/debian-archive-keyring@2021.1.1?arch=all
... (lots more)

/assign @cpanato
/cc @kubernetes-sigs/release-engineering

Does this PR introduce a user-facing change?

bom now adds `ExternalRef`s with Package URLs (purls) for all system packages, go dependencies and OCI images.

puerco added 7 commits March 7, 2022 20:38
@puerco
Support more OSs. More data from dpkg
3059054 
This commit adds new support to extract more information from
the dpkg database, at the same time it splits the OSs to prepare
them to produce purls from the extracted data.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Support outputting purl from PackageDBEntry
cec4637 
PackageDBEntry can now output its contents as purl.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Wire purl data to SPDX package
fea9362 
Wire purl from OS packages into SPDX packages expressing them.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add ExtRef support to SPDX package tmpl
986876a 
While the package type already supported external references, we
now support actually writing it into the SBOM.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
GoMod: Support output to purl
16f0f98 
When reading go dependencies, we now add a PackageURL external
ref to the generated SPDX package.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
GoMod: Use go proxy for dnload, fix locators
35fd6f7 
This commit modifies the DownloadLocation generated from Go packages.

When the package is a module, we will use the proxy.golang.org url
to make a zip available. This makes the output of bom equal to ko.

When a dependency is not a module, bom will now generate a valid SPDX
download locator (eg "git+https://github.com/ ... )

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add purl for OCI images
4bf0cff 
This commit adds support for writing purls in packages describing
OCI images. For now, only images stored in registries get a purl,
that means that tarred images will not.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 8, 2022
@saschagrunert
Copy link
Member

/retest

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2022
@puerco
GO mod tidy to pull package-url/packageurl-go
f429f38 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2022
@puerco
Copy link
Member Author

puerco commented Mar 8, 2022

SOrry @saschagrunert I had forgotten to commit go.mod, its ready now :)

cpanato
cpanato approved these changes Mar 8, 2022
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, puerco, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [cpanato,puerco,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit d94678c into kubernetes-sigs:main Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

@saschagrunert saschagrunert saschagrunert approved these changes

Assignees

@saschagrunert saschagrunert

@cpanato cpanato

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@puerco @saschagrunert @k8s-ci-robot @cpanato