Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Ubuntu Chisel manifests as an sbom input #811

Open
richlander opened this issue Nov 21, 2024 · 1 comment
Open

Support Ubuntu Chisel manifests as an sbom input #811

richlander opened this issue Nov 21, 2024 · 1 comment
Labels
needs investigation Our team will investigate and determine next actions

Comments

@richlander
Copy link
Member

richlander commented Nov 21, 2024

In reference to dotnet/dotnet-docker#5973

We (.NET Team) have been working closely with Canonical on Chiseled images:

At present, we use an interim solution to make chiseled images scannable. That has worked well. We've been waiting for the chisel manifest format to land to move to a more permanent solution. However, scanners don't support the chisel manifest. We talked to @cjdcordeiro about this. His vision is that SBOM tools (starting with the MS one) support chisel manifests as an input and we rely on scanners ability to read SBOMs.

Our end to end vision is this:

  • SBOM tools support chisel manifests as an input
  • We run the SBOM tool to generate an SBOM for the container images we publish
  • We attach the SBOM to our container images as an OCI artifact
  • Scanners can scan our container images by pulling by an image and the associated registry artifact

How does that sound? I'm a bit worried that a registry-based solution might be a breaking change for some users. That's worth discussing.

What's the best path to achieving that?

@richlander richlander changed the title Support chisel manifest as an sbom input Support Ubuntu Chisel manifests as an sbom input Nov 21, 2024
@cjdcordeiro
Copy link

Thanks for this nice breakdown.
On our side, we'll be:

  • writing the reference documentation for the Chisel manifests;
  • defining the shortest path of translation of a Chisel manifest to an SPDX-compliant SBOM;
  • supporting the adoption of the Chisel manifest in Microsoft's sbom-tool; and
  • working with 3rd party tools to assess the feasibility of natively supporting scanning of Chiselled containers without SBOMs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs investigation Our team will investigate and determine next actions
Projects
None yet
Development

No branches or pull requests

4 participants