Merge pull request moby#3422 from jedevc/attestations-only-supplement-core

tonistiigi · web-flow · commit 733c043de744 · 2023-01-05T09:04:16.000-08:00
Only supplement SBOMs with file-layer info for specified SBOMs
diff --git a/docs/attestations/sbom-protocol.md b/docs/attestations/sbom-protocol.md
@@ -48,9 +48,8 @@ by BuildKit:
   This variable specifies the main target, passing the path to the root
   filesystem of the final build result.
 
-  The scanner should scan this filesystem, and write its SBOM scans to
-  `$BUILDKIT_SCAN_DESTINATION/<scan>.spdx.json`. If the scan name is not
-  significant the scan can be named `$(basename $BUILDKIT_SCAN_SOURCE)`.
+  The scanner should scan this filesystem, and write its SBOM result to
+  `$BUILDKIT_SCAN_DESTINATION/$(basename $BUILDKIT_SCAN_SOURCE).spdx.json`.
 
 - `BUILDKIT_SCAN_SOURCE_EXTRAS` (optional)
 
diff --git a/exporter/containerimage/attestations.go b/exporter/containerimage/attestations.go
@@ -14,6 +14,7 @@ import (
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/result"
 	"github.com/moby/buildkit/version"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -35,6 +36,13 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 	if att.InToto.PredicateType != intoto.PredicateSPDX {
 		return att, nil
 	}
+	name, ok := att.Metadata[result.AttestationSBOMCore]
+	if !ok {
+		return att, nil
+	}
+	if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
+		return att, nil
+	}
 
 	content, err := attestation.ReadAll(ctx, s, att)
 	if err != nil {
diff --git a/frontend/attestations/sbom/sbom.go b/frontend/attestations/sbom/sbom.go
@@ -89,6 +89,7 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
 			Ref:  stsbom,
 			Metadata: map[string][]byte{
 				result.AttestationReasonKey: []byte(result.AttestationReasonSBOM),
+				result.AttestationSBOMCore:  []byte(CoreSBOMName),
 			},
 			InToto: result.InTotoAttestation{
 				PredicateType: intoto.PredicateSPDX,
diff --git a/solver/result/attestation.go b/solver/result/attestation.go
@@ -9,6 +9,7 @@ import (
 
 const (
 	AttestationReasonKey     = "reason"
+	AttestationSBOMCore      = "sbom-core"
 	AttestationInlineOnlyKey = "inline-only"
 )
 

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`
`10`	`10`	`const (`
`11`	`11`	`AttestationReasonKey = "reason"`
	`12`	`+ AttestationSBOMCore = "sbom-core"`
`12`	`13`	`AttestationInlineOnlyKey = "inline-only"`
`13`	`14`	`)`
`14`	`15`