Generate SBOM for the oci-builder

LaurentGoderre · LaurentGoderre · commit 662d724c951c · 2024-06-21T10:09:49.000-04:00
diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
@@ -137,6 +137,42 @@ jq -s '
 	)
 ' temp/index.json > temp/index.json.new
 mv temp/index.json.new temp/index.json
+# SBOM
+originalImageManifest="$(jq -r '.manifests[0].digest' temp/index.json)"
+SOURCE_DATE_EPOCH=1709081058 \
+	docker buildx build --progress=plain \
+	--load=false \
+	--provenance=false \
+	--build-arg BUILDKIT_DOCKERFILE_CHECK=skip=all \
+	--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
+	--output 'type=oci,tar=false,dest=sbom' \
+	--platform 'linux/amd64' \
+	--build-context "fake=oci-layout://$PWD/temp@$originalImageManifest" \
+	- <<<'FROM fake'
+sbomIndex="$(jq -r '.manifests[0].digest' sbom/index.json)"
+shell="$(jq -r --arg originalImageManifest "$originalImageManifest" '
+	first(
+		.manifests[]
+		| select(.annotations["vnd.docker.reference.type"] == "attestation-manifest")
+	) as $attDesc
+	| @sh "sbomManifest=\($attDesc.digest)",
+		@sh "sbomManifestDesc=\(
+			$attDesc
+			| .annotations["vnd.docker.reference.digest"] = $originalImageManifest
+			| tojson
+		)"
+' "sbom/blobs/${sbomIndex/://}")"
+eval "$shell"
+shell="$(jq -r '
+	"copyBlobs=( \([ .config.digest, .layers[].digest | @sh ] | join(" ")) )"
+' "sbom/blobs/${sbomManifest/://}")"
+eval "$shell"
+copyBlobs+=( "$sbomManifest" )
+for blob in "${copyBlobs[@]}"; do
+	cp "sbom/blobs/${blob/://}" "temp/blobs/${blob/://}"
+done
+jq -r --argjson sbomManifestDesc "$sbomManifestDesc" '.manifests += [ $sbomManifestDesc ]' temp/index.json > temp/index.json.new
+mv temp/index.json.new temp/index.json
 # </build>
 # <push>
 crane push --index temp 'oisupport/staging-amd64:191402ad0feacf03daf9d52a492207e73ef08b0bd17265043aea13aa27e2bb3f'
diff --git a/meta.jq b/meta.jq
@@ -319,9 +319,52 @@ def build_command:
 
 			# TODO consider / check what "crane validate" does and if it would be appropriate here
 
-			# TODO generate SBOM? ... somehow
-
-			empty
+			if build_should_sbom then
+				# we'll trick BuildKit into generating an SBOM for us, then inject it into our OCI layout
+				"# SBOM",
+				"originalImageManifest=\"$(jq -r '.manifests[0].digest' temp/index.json)\"",
+				(
+					[
+						@sh "SOURCE_DATE_EPOCH=\(.source.entry.SOURCE_DATE_EPOCH)",
+						"docker buildx build --progress=plain",
+						"--load=false", "--provenance=false", # explicitly disable a few features we want to avoid
+						"--build-arg BUILDKIT_DOCKERFILE_CHECK=skip=all", # disable linting (https://github.com/moby/buildkit/pull/4962)
+						"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\"",
+						"--output 'type=oci,tar=false,dest=sbom'",
+						# TODO also add appropriate "--tag" lines (which would give us a mostly correct "subject" block in the generated SBOM, but we'd then need to replace instances of ${sbomImageManifest#*:} with ${originalImageManifest#*:} for their values to be correct)
+						@sh "--platform \(.source.arches[.build.arch].platformString)",
+						"--build-context \"fake=oci-layout://$PWD/temp@$originalImageManifest\"",
+						"- <<<'FROM fake'", # note: "<<<" is a bashism (so this output must be invoked via bash)
+						empty
+					] | join(" \\\n\t")
+				),
+				"sbomIndex=\"$(jq -r '.manifests[0].digest' sbom/index.json)\"",
+				@sh "shell=\"$(jq -r --arg originalImageManifest \"$originalImageManifest\" \("
+					# https://docs.docker.com/build/attestations/attestation-storage/
+					first(
+						.manifests[]
+						| select(.annotations[\"vnd.docker.reference.type\"] == \"attestation-manifest\")
+					) as $attDesc
+					| @sh \"sbomManifest=\\($attDesc.digest)\",
+						@sh \"sbomManifestDesc=\\(
+							$attDesc
+							| .annotations[\"vnd.docker.reference.digest\"] = $originalImageManifest
+							| tojson
+						)\"
+				" | unindent_and_decomment_jq(4)) \"sbom/blobs/${sbomIndex/://}\")\"",
+				"eval \"$shell\"",
+				@sh "shell=\"$(jq -r \("
+					\"copyBlobs=( \\([ .config.digest, .layers[].digest | @sh ] | join(\" \")) )\"
+				" | unindent_and_decomment_jq(4)) \"sbom/blobs/${sbomManifest/://}\")\"",
+				"eval \"$shell\"",
+				"copyBlobs+=( \"$sbomManifest\" )",
+				"for blob in \"${copyBlobs[@]}\"; do",
+				"\tcp \"sbom/blobs/${blob/://}\" \"temp/blobs/${blob/://}\"",
+				"done",
+				"jq -r --argjson sbomManifestDesc \"$sbomManifestDesc\" '.manifests += [ $sbomManifestDesc ]' temp/index.json > temp/index.json.new",
+				"mv temp/index.json.new temp/index.json",
+				empty
+			else empty end
 		] | join("\n")
 	else
 		error("unknown/unimplemented Builder: \($builder)")
