8000 SBOMs are not being signed · Issue #1151 · dotnet/docker-tools · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
SBOMs are not being signed #1151
New issue
New issue
Open
Open
SBOMs are not being signed#1151
Labels
area-infrastructurebug
@mthalman

Description

@mthalman
mthalman
opened on Jun 29, 2023

The build stage of the pipeline generates SBOMs using this logic:

docker-tools/eng/common/templates/jobs/build-images.yml

Lines 128 to 176 in 9791b15

# Define the task here to load it into the agent so that we can invoke the tool manually
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
inputs:
BuildDropPath: $(Build.ArtifactStagingDirectory)
displayName: Load Manifest Generator
condition: and(succeeded(), ne(variables['BuildImages.builtImages'], ''))
- powershell: |
$images = "$(BuildImages.builtImages)"
if (-not $images) { return 0 }
# There can be leftover versions of the task left on the agent if it's not fresh. So find the latest version.
$taskDir = $(Get-ChildItem -Recurse -Directory -Filter "ManifestGeneratorTask*" -Path '$(Agent.WorkFolder)')[-1].FullName
$manifestToolDllPath = $(Get-ChildItem -Recurse -File -Filter "Microsoft.ManifestTool.dll" -Path $taskDir).FullName
# Check whether the manifest task installed its own version of .NET.
# To be more robust, we'll handle varying implementations that it's had.
# First check for a dotnet folder in the task location
$dotnetDir = $(Get-ChildItem -Recurse -Directory -Filter "dotnet-*" -Path $taskDir).FullName
if (-not $dotnetDir) {
# If it's not there, check in the agent tools location
$dotnetDir = $(Get-ChildItem -Recurse -Directory -Filter "*dotnet-*" -Path "$(Agent.ToolsDirectory)").FullName
}
# If the manifest task installed its own version of .NET use that; otherwise it's reusing an existing install of .NET
# which is executable by default.
if ($dotnetDir) {
$dotnetPath = "$dotnetDir/dotnet"
}
else {
$dotnetPath = "dotnet"
}
# Call the manifest tool for each image to produce seperate SBOMs
# Manifest tool docs: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/secure-supply-chain/custom-sbom-generation-workflows
$images -Split ',' | ForEach-Object {
echo "Generating SBOM for $_";
$formattedImageName = $_.Replace('$(acr.server)/$(stagingRepoPrefix)', "").Replace('/', '_').Replace(':', '_');
$sbomChildDir = "$(sbomDirectory)/$formattedImageName";
New-Item -Type Directory -Path $sbomChildDir > $null;
& $dotnetPath "$manifestToolDllPath" `
Generate `
-BuildDropPath '$(Build.ArtifactStagingDirectory)' `
-BuildComponentPath '$(Agent.BuildDirectory)' `
-PackageName '.NET' `
-PackageVersion '$(Build.BuildNumber)' `
-ManifestDirPath $sbomChildDir `
-DockerImagesToScan $_ `
-Verbosity Information
}
displayName: Generate SBOMs

The use of the ManifestGeneratorTask is only used as an "installer" in order to acquire the manifest tool that gets executed in the second step. It's done this way because of the need to have a separate SBOM for each image (see #979). So the SBOM generation occurs in the second step. But the logic for signing the SBOMs actually occurs in the first step via the ManifestGeneratorTask. This means we're not getting the benefit of signing because we're not using the task to generate the SBOMs. And that means none of our SBOMs are signed.

I've logged a related issue for the manifest generator to have another tool that can be used for signing: https://github.com/microsoft/dropvalidator/issues/668

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-infrastructurebug

    Type

    No type

    Projects

    .NET Do 37D0 cker

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0