From ea8ca4e7c5904e34dda2ee6fb6b33788f4b4544a Mon Sep 17 00:00:00 2001 From: Clement Bois <clement.bois@orange.com> Date: Fri, 25 Nov 2022 15:31:12 +0100 Subject: [PATCH] feat: add a job generating software bill of materials Signed-off-by: Clement Bois <clement.bois@orange.com> --- README.md | 12 ++++++++++++ kicker.json | 18 ++++++++++++++++++ templates/gitlab-ci-docker.yml | 29 +++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) diff --git a/README.md b/README.md index e92be66..3e229f1 100644 --- a/README.md +++ b/README.md @@ -397,6 +397,18 @@ In addition to a textual report in the console, this job produces the following | `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ | | `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) | +### `docker-sbom` job + +This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [syft](https://github.com/anchore/syft). + +It is bound to the `package-test` stage, and uses the following variables: + +| Name | description | default value | +| --------------------- | -------------------------------------- | ----------------- | +| `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `anchore/syft:debug` | +| `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger` | + ### `docker-publish` job This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo). diff --git a/kicker.json b/kicker.json index df8d72d..f1f9aaa 100644 --- a/kicker.json +++ b/kicker.json @@ -174,6 +174,24 @@ "advanced": true } ] + }, + { + "id": "sbom", + "name": "Software Bill of Materials", + "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)", + "disable_with": "DOCKER_SBOM_DISABLED", + "variables": [ + { + "name": "DOCKER_SBOM_IMAGE", + "default": "anchore/syft:debug" + }, + { + "name": "DOCKER_SBOM_OPTS", + "description": "Options for syft used for SBOM analysis", + "default": "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger", + "advanced": true + } + ] } ], "variants": [ diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index e7525a9..745c73d 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -69,6 +69,10 @@ variables: DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest" DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os" + # SBOM genenration image and arguments + DOCKER_SBOM_IMAGE: anchore/syft:debug + DOCKER_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger" + # by default: DevOps pipeline PUBLISH_ON_PROD: "true" @@ -677,6 +681,31 @@ docker-trivy: when: never - !reference [.test-policy, rules] +docker-sbom: + extends: .docker-base + stage: package-test + image: + name: $DOCKER_SBOM_IMAGE + entrypoint: [""] + # force no dependency + dependencies: [] + script: + - mkdir -p -m 777 reports + - dockerfile_hash=$(md5sum "$DOCKER_FILE" | cut -d" " -f1) + - /syft packages $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${dockerfile_hash}.cyclonedx.json + - chmod a+r reports/docker-sbom-${dockerfile_hash}.cyclonedx.json + artifacts: + name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" + expire_in: 1 week + when: always + paths: + - "reports/docker-sbom-*.cyclonedx.json" + rules: + # exclude if disabled + - if: '$DOCKER_SBOM_DISABLED == "true"' + when: never + - !reference [.test-policy, rules] + # ================================================== # Stage: publish # ================================================== -- GitLab