attestation: only supplement file data for the core scan

jedevc · jedevc · commit 2948389c3e94 · 2023-01-05T14:13:25.000Z
Previously, we would attempt to add file data for every single
SBOM - however, if these SBOMs were taken of layers that were not
exported, then these could be wrong.

To workaround this, for the file layer details to be added to the
resulting SBOM, we require that the scanner add a metadata property to
indicate the default value. This is configurable, since in the future we
may want behavior that allows the frontend to specify no file layers, or
wants an SBOM with layers other than the default.

Signed-off-by: Justin Chadwell &lt;me@jedevc.com&gt;
diff --git a/docs/attestations/sbom-protocol.md b/docs/attestations/sbom-protocol.md
@@ -48,9 +48,8 @@ by BuildKit:
   This variable specifies the main target, passing the path to the root
   filesystem of the final build result.
 
-  The scanner should scan this filesystem, and write its SBOM scans to
-  `$BUILDKIT_SCAN_DESTINATION/<scan>.spdx.json`. If the scan name is not
-  significant the scan can be named `$(basename $BUILDKIT_SCAN_SOURCE)`.
+  The scanner should scan this filesystem, and write its SBOM result to
+  `$BUILDKIT_SCAN_DESTINATION/$(basename $BUILDKIT_SCAN_SOURCE).spdx.json`.
 
 - `BUILDKIT_SCAN_SOURCE_EXTRAS` (optional)
 
diff --git a/exporter/containerimage/attestations.go b/exporter/containerimage/attestations.go
@@ -14,6 +14,7 @@ import (
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/result"
 	"github.com/moby/buildkit/version"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -35,6 +36,13 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 	if att.InToto.PredicateType != intoto.PredicateSPDX {
 		return att, nil
 	}
+	name, ok := att.Metadata[result.AttestationSBOMCore]
+	if !ok {
+		return att, nil
+	}
+	if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
+		return att, nil
+	}
 
 	content, err := attestation.ReadAll(ctx, s, att)
 	if err != nil {
diff --git a/frontend/attestations/sbom/sbom.go b/frontend/attestations/sbom/sbom.go
@@ -89,6 +89,7 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
 			Ref:  stsbom,
 			Metadata: map[string][]byte{
 				result.AttestationReasonKey: []byte(result.AttestationReasonSBOM),
+				result.AttestationSBOMCore:  []byte(CoreSBOMName),
 			},
 			InToto: result.InTotoAttestation{
 				PredicateType: intoto.PredicateSPDX,
diff --git a/solver/result/attestation.go b/solver/result/attestation.go
@@ -9,6 +9,7 @@ import (
 
 const (
 	AttestationReasonKey     = "reason"
+	AttestationSBOMCore      = "sbom-core"
 	AttestationInlineOnlyKey = "inline-only"
 )
 

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`
`10`	`10`	`const (`
`11`	`11`	`AttestationReasonKey = "reason"`
	`12`	`+ AttestationSBOMCore = "sbom-core"`
`12`	`13`	`AttestationInlineOnlyKey = "inline-only"`
`13`	`14`	`)`
`14`	`15`