Merge pull request #118 from crazy-max/sbom-cataloging

crazy-max · web-flow · commit 17433638795c · 2024-12-10T15:02:34.000+01:00
example: sbom cataloger
diff --git a/examples/sbom-cataloger/.dockerignore b/examples/sbom-cataloger/.dockerignore
@@ -0,0 +1 @@
+/build/
diff --git a/examples/sbom-cataloger/Dockerfile b/examples/sbom-cataloger/Dockerfile
@@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1.5
+
+# Copyright 2024 buildkit-syft-scanner authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine:3.15@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864 AS base
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+COPY <<EOF /empty
+EOF
+
+FROM scratch
+COPY --from=base /empty /
diff --git a/examples/sbom-cataloger/checks/sbom-base.spdx.json b/examples/sbom-cataloger/checks/sbom-base.spdx.json
@@ -0,0 +1,72 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://spdx.dev/Document",
+  "subject": [
+    {
+      "name": "empty",
+      "digest": {
+        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+      }
+    }
+  ],
+  "predicate": {
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "sbom-base",
+    "packages": [
+      {
+        "SPDXID": "SPDXRef-Package-apk-alpine-baselayout-5ede89861c73ee0f",
+        "copyrightText": "NOASSERTION",
+        "description": "Alpine base dir structure and init scripts",
+        "downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
+        "externalRefs": [
+          {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": "cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
+            "referenceType": "cpe23Type"
+          },
+          {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": "cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
+            "referenceType": "cpe23Type"
+          },
+          {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": "cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
+            "referenceType": "cpe23Type"
+          },
+          {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": "cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
+            "referenceType": "cpe23Type"
+          },
+          {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": "cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
+            "referenceType": "cpe23Type"
+          },
+          {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": "cpe:2.3:a:alpine:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
+            "referenceType": "cpe23Type"
+          },
+          {
+            "referenceCategory": "PACKAGE-MANAGER",
+            "referenceLocator": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?arch=x86_64\u0026distro=alpine-3.15.11",
+            "referenceType": "purl"
+          }
+        ],
+        "filesAnalyzed": true,
+        "licenseConcluded": "NOASSERTION",
+        "licenseDeclared": "GPL-2.0-only",
+        "name": "alpine-baselayout",
+        "originator": "Person: Natanael Copa (ncopa@alpinelinux.org)",
+        "packageVerificationCode": {
+          "packageVerificationCodeValue": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+        },
+        "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
+        "supplier": "Person: Natanael Copa (ncopa@alpinelinux.org)",
+        "versionInfo": "3.2.0-r18"
+      }
+    ]
+  }
+}
diff --git a/examples/sbom-cataloger/checks/sbom.spdx.json b/examples/sbom-cataloger/checks/sbom.spdx.json
@@ -0,0 +1,20 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://spdx.dev/Document",
+  "predicate": {
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "sbom",
+    "packages": [
+      {
+        "SPDXID": "SPDXRef-DocumentRoot-Directory-sbom",
+        "downloadLocation": "NOASSERTION",
+        "filesAnalyzed": false,
+        "licenseConcluded": "NOASSERTION",
+        "licenseDeclared": "NOASSERTION",
+        "name": "sbom",
+        "primaryPackagePurpose": "FILE",
+        "supplier": "NOASSERTION"
+      }
+    ]
+  }
+}
