Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SBOMs do not contain docker image metadata #2608

Closed
willejs-ec opened this issue Jun 11, 2024 · 0 comments · Fixed by #2612
Closed

SBOMs do not contain docker image metadata #2608

willejs-ec opened this issue Jun 11, 2024 · 0 comments · Fixed by #2612

Comments

@willejs-ec
Copy link

willejs-ec commented Jun 11, 2024

Steps to reproduce

I have an interesting issue with the sboms created from zarf…
When you perform this action against a docker container:
syft quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z -o syft | grype -o sarif
The output has the name of the container in it:
"text": "A medium vulnerability in go-module package: gopkg.in/square/go-jose.v2, version v2.6.0 was found in image quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z at: /usr/bin/minio"
However, if you put the image in a zarf package, then take the zarf generated sbom (via syft) and run it through grype:
grype quay.io_minio_minio_RELEASE.2024-03-21T23-13-43Z.json -o sarif
It does not contain the image name:
"text": "A medium vulnerability in go-module package: gopkg.in/square/go-jose.v2, version v2.6.0 was found in image at: /usr/bin/minio"
When you compare the syft documents, you realise that the whole source block is missing, so theres no image metadata in the file under the source key.

I think this is because zarf generates the sbom from the OCI image, and i presume when zarf pulls the docker image and converts it to an oci image, it strips all the image metadata?
This makes the sarif output kinda useless in grype as i cant then upload it to github advanced security. When you upload it, it you cant see which the vulnerability is coming from… Just the binary.

Severity/Priority

Additional Context

Add any other context or screenshots about the technical debt here.

lucasrod16 pushed a commit that referenced this issue Jun 11, 2024
## Description
When creating an image SBOM with syft, we currently pass an empty string
`""` to `NewFromStereoscopeImageObject` when creating a new image source
object.

```go
source.NewFromStereoscopeImageObject(syftImage, "", nil)
```
The second argument is the image reference. This data is ultimately used
to populate the source metadata in the final SBOM, but since we pass an
empty string, the `userInput` field is empty.

The fix is to pass in the image reference so that the `userInput` field
is populated in the final SBOM.

```go
source.NewFromStereoscopeImageObject(syftImage, ref, nil)
```

Steps to reproduce:

1. Create this package

    ```yaml
    kind: ZarfPackageConfig
    metadata:
      name: sbom-test
      architecture: amd64
    components:
      - name: sbom-test
        required: true
        images:
          - quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z
    ```

1. Extract the package

    ```shell
zarf tools archiver decompress zarf-package-sbom-test-amd64.tar.zst sbom
    ```

1. Extract the sbom tarball

    ```shell
    zarf tools archiver decompress sbom/sboms.tar sbom/syft 
    ```
1. Check the `.source.metadata.userInput` field in the image SBOM

    ```shell
cat sbom/syft/quay.io_minio_minio_RELEASE.2024-03-21T23-13-43Z.json | jq
.source.metadata.userInput
    ```
    
With current Zarf, you will see that it returns an empty string. Re-run
all of the above steps with Zarf built from this PR branch, and you will
see it returns the image reference
`quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z`
    
1. Generate a vulnerability scan report with `grype`

    ```shell
cat sbom/syft/quay.io_minio_minio_RELEASE.2024-03-21T23-13-43Z.json |
grype -o sarif > zarf-scan.json
    ```
    
You will see that the generated report is missing the image reference in
the output
    
`"text": "A medium vulnerability in go-module package:
gopkg.in/square/go-jose.v2, version v2.6.0 was found in image at:
/usr/bin/minio"`
    
Re-run all of the above steps with Zarf built from this PR branch, and
you will see the image reference in the generated report:
    
`"text": "A medium vulnerability in go-module package:
gopkg.in/square/go-jose.v2, version v2.6.0 was found in image
quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z at: /usr/bin/minio"`

## Related Issue

Fixes #2608

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow)
followed
AustinAbro321 pushed a commit that referenced this issue Jul 23, 2024
## Description
When creating an image SBOM with syft, we currently pass an empty string
`""` to `NewFromStereoscopeImageObject` when creating a new image source
object.

```go
source.NewFromStereoscopeImageObject(syftImage, "", nil)
```
The second argument is the image reference. This data is ultimately used
to populate the source metadata in the final SBOM, but since we pass an
empty string, the `userInput` field is empty.

The fix is to pass in the image reference so that the `userInput` field
is populated in the final SBOM.

```go
source.NewFromStereoscopeImageObject(syftImage, ref, nil)
```

Steps to reproduce:

1. Create this package

    ```yaml
    kind: ZarfPackageConfig
    metadata:
      name: sbom-test
      architecture: amd64
    components:
      - name: sbom-test
        required: true
        images:
          - quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z
    ```

1. Extract the package

    ```shell
zarf tools archiver decompress zarf-package-sbom-test-amd64.tar.zst sbom
    ```

1. Extract the sbom tarball

    ```shell
    zarf tools archiver decompress sbom/sboms.tar sbom/syft
    ```
1. Check the `.source.metadata.userInput` field in the image SBOM

    ```shell
cat sbom/syft/quay.io_minio_minio_RELEASE.2024-03-21T23-13-43Z.json | jq
.source.metadata.userInput
    ```

With current Zarf, you will see that it returns an empty string. Re-run
all of the above steps with Zarf built from this PR branch, and you will
see it returns the image reference
`quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z`

1. Generate a vulnerability scan report with `grype`

    ```shell
cat sbom/syft/quay.io_minio_minio_RELEASE.2024-03-21T23-13-43Z.json |
grype -o sarif > zarf-scan.json
    ```

You will see that the generated report is missing the image reference in
the output

`"text": "A medium vulnerability in go-module package:
gopkg.in/square/go-jose.v2, version v2.6.0 was found in image at:
/usr/bin/minio"`

Re-run all of the above steps with Zarf built from this PR branch, and
you will see the image reference in the generated report:

`"text": "A medium vulnerability in go-module package:
gopkg.in/square/go-jose.v2, version v2.6.0 was found in image
quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z at: /usr/bin/minio"`

## Related Issue

Fixes #2608

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow)
followed

Signed-off-by: Austin Abro <AustinAbro321@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant