Final slides for 20230517

nicholasdille · nicholasdille · commit 9d65413eb89b · 2023-05-16T14:00:24.000+02:00
diff --git a/060_security/11_artifacts/referrers.demo b/060_security/11_artifacts/referrers.demo
@@ -0,0 +1,54 @@
+# Referrers
+
+# Prepare OCI 1.1 compliant registry
+REGISTRY=127.0.0.1:5000
+docker container run --detach --name registry --publish "${REGISTRY}:5000" ghcr.io/oras-project/registry:v1.0.0-rc.4
+regctl registry set "${REGISTRY}" --tls disabled
+
+# Prepare test image
+REPOSITORY=ubuntu
+TAG=22.04
+IMAGE="${REGISTRY}/${REPOSITORY}:${TAG}"
+docker pull "${REPOSITORY}:${TAG}"
+docker tag "${REPOSITORY}:${TAG}" "${IMAGE}"
+docker push "${IMAGE}"
+
+# Create and link SBOM
+trivy image "${IMAGE}" --format cyclonedx --output cyclonedx.json
+cat cyclonedx.json \
+| regctl artifact put --subject "${IMAGE}" \
+    --artifact-type application/vnd.cyclonedx+json \
+    --file-media-type application/vnd.cyclonedx+json \
+    --annotation "created-by=trivy" \
+    --annotation "org.opencontainers.artifact.created=$(date -Iseconds)" \
+    --annotation "org.opencontainers.artifact.description=CycloneDX JSON SBOM"
+trivy referrer list "${IMAGE}"
+
+# Create and link SARIF report
+trivy image "${IMAGE}" --format sarif \
+| regctl artifact put --subject "${IMAGE}" \
+    --artifact-type application/json \
+    --file-media-type application/json \
+    --annotation "created-by=trivy" \
+    --annotation "org.opencontainers.artifact.created=$(date -Iseconds)" \
+    --annotation "org.opencontainers.artifact.description=SARIF JSON"
+trivy referrer list "${IMAGE}"
+
+# Sign container image
+COSIGN_EXPERIMENTAL=1 cosign sign -y --registry-referrers-mode oci-1-1 "${IMAGE}"
+
+# Sign SBOM
+SOURCE_CYCLONEDX="$(
+    regctl artifact tree --filter-artifact-type application/vnd.cyclonedx+json "${IMAGE}" --format "{{json .}}" \
+    | jq -r '.referrer | .[0].reference.Digest'
+)"
+COSIGN_EXPERIMENTAL=1 cosign sign -y --
+registry-referrers-mode oci-1-1 "${IMAGE}@${SOURCE_CYCLONEDX}"
+oras discover "${IMAGE}" --plain-http --output tree
+
+# Sign SARIF
+SOURCE_SARIF="$(
+    regctl artifact tree --filter-artifact-type application/sarif+json "${IMAGE}" --format "{{json .}}" \
+    | jq -r '.referrer | .[0].reference.Digest'
+)"
+COSIGN_EXPERIMENTAL=1 cosign sign -y --registry-referrers-mode oci-1-1 "${IMAGE}@${SOURCE_SARIF}"
diff --git a/060_security/11_artifacts/run.sh b/060_security/11_artifacts/run.sh
@@ -35,7 +35,13 @@ cat cyclonedx.json \
 #    ./cyclonedx.json:application/vnd.cyclonedx+json
 #cosign attach sbom ...
 trivy image "${IMAGE}" --format sarif \
-| trivy referrer put
+| regctl artifact put --subject "${IMAGE}" \
+    --artifact-type application/sarif+json \
+    --file-media-type application/sarif+json \
+    --annotation "created-by=trivy" \
+    --annotation "org.opencontainers.artifact.created=$(date -Iseconds)" \
+    --annotation "org.opencontainers.artifact.description=SARIF JSON"
+#| trivy referrer put
 
 trivy referrer list "${IMAGE}"
 trivy referrer list "${IMAGE}" --format table
diff --git a/060_security/11_artifacts/slides.md b/060_security/11_artifacts/slides.md
@@ -1,11 +1,34 @@
-## OCI artifacts
+## OCI artifacts and referrers
 
-XXX [](https://github.com/opencontainers/artifacts)
+Open Container Initiative (OCI) is responsible for multiple specifications:
 
-XXX OCI 1.1.0-rc.2 [](https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc.2/spec.md)
+- Runtime <span style="color: grey;">(how to talk to container runtime)</span> [](https://github.com/opencontainers/runtime-spec)
+- Image <span style="color: grey;">(how to store a container image)</span> [](https://github.com/opencontainers/image-spec)
+- Distribution <span style="color: grey;">(how to talk to image registries)</span> [](https://github.com/opencontainers/distribution-spec)
+- Artifact <span style="color: grey;">(how to store arbitraty data in registries)</span> [](https://github.com/opencontainers/artifacts)
 
-XXX [](https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc.2/spec.md#enabling-the-referrers-api)
+OCI is slowly replacing Docker media types
 
-XXX list [](https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc.2/spec.md#listing-referrers)
+Version 1.1 is in the making
 
-XXX https://github.com/aquasecurity/trivy-plugin-referrer
+Distribution spec 1.1.0-rc.2 [](https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc.2/spec.md) adds referrers
+
+Referrers add relationships between digests
+
+Implementations: [regclient](https://github.com/regclient/regclient/blob/main/docs/regctl.md#artifact-commands), [trivy](https://github.com/aquasecurity/trivy-plugin-referrer), [oras](https://oras.land/docs/cli/reference_types/#discovering-artifact-references), [distribution](https://github.com/oras-project/distribution)
+
+---
+
+## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/060_security/11_artifacts/referrers.demo "referrers.demo")
+
+Upload demo image
+
+Link SBOM
+
+Link SARIF report (repeat daily)
+
+Sign image
+
+Sign SBOM
+
+Sign SARIF
diff --git a/120_kubernetes/kyverno/cosign.md b/120_kubernetes/kyverno/cosign.md
@@ -1,12 +1,14 @@
-## Kyverno for<br/>image signature validation
+## Kyverno for Cosign
 
-XXX
+Kyverno can verfiy image signatures
 
-XXX kyverno for testing keyless image signatures
+Select images using wildcards
 
----
+Specify multiple signatures
 
-## Demo
+Defines how many signatures must match
+
+### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/kyverno/cosign.demo "cosign.demo")
 
 Verify Kubernetes control plane images [](https://www.cncf.io/blog/2023/05/01/kyverno-verify-kubernetes-control-plane-images/)
 
diff --git a/170_supply_chain_security/activity.md b/170_supply_chain_security/activity.md
@@ -2,23 +2,31 @@
 
 Health metrics for Open Source projects using `scorecard` [](https://github.com/ossf/scorecard)
 
-XXX
+Prerequisite for funding via *Secure Open Source* (SOS) Rewards [](https://sos.dev/)
+
+### Checks (exerpt) [](https://github.com/ossf/scorecard#scorecard-checks)
+
+Branch protection
+
+Code Review in PRs
+
+Dependency update tool
+
+Signed releases
 
 ### Example
 
 ```bash
 scorecard --repo=github.com/moby/moby
 ```
 
-XXX https://github.com/ossf/scorecard#scorecard-checks
-
-XXX https://sos.dev/
-
 ---
 
 ## Scorecard data
 
-XXX [](https://github.com/ossf/scorecard#public-data)
+One million critical open source projects are scanned weekls [](https://github.com/ossf/scorecard#public-data)
+
+Data is shared publicly
 
 ### REST API
 
@@ -30,4 +38,6 @@ curl -s https://api.securityscorecards.dev/projects/${PROJECT} \
 
 ### Google BigQuery
 
-XXX
+Use web-based [BigQuery Explorer](http://console.cloud.google.com/bigquery)
+
+Use `bq` on the console (part of `gcloud`)
diff --git a/170_supply_chain_security/approaches.md b/170_supply_chain_security/approaches.md
@@ -4,7 +4,7 @@
 
 Follow the [Open Source Security Foundation](https://openssf.org/) (OSSF) [Concise Guide for developing more secure software](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme)
 
-XXX minimalism
+Keep it simple and stupid (KISS) [](https://en.wikipedia.org/wiki/KISS_principle)
 
 Automated dependency updates
 
@@ -24,16 +24,20 @@ Create provenence [](https://slsa.dev/provenance) (signed description of artifac
 
 ## Unmaintained dependencies
 
+[XKCD 2347](https://xkcd.com/2347/) by [Randall Munroe, XKCD](https://xkcd.com/about/)
+
+<!-- .element: style="font-size: smaller; float: right; writing-mode: vertical-rl; margin-top: 0.5em;" -->
+
 ![](images/xkcd-2347-dependency.png) <!-- .element: style="float: right; width: 40%;" -->
 
-Let's say, you have done all of the above 
+Let's say, you have done all of the above
 
 How can you be sure that your dependencies are maintained?
 
 Will a vulnerability be fixed quickly?
 
-XXX risk!
+Every dependency is a risk - unmaintained even more so
 
-### XXX
+### Choose wisely
 
 Follow the [Open Source Security Foundation](https://openssf.org/) (OSSF) [Concise Guide for evaluating open source software](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Evaluating-Open-Source-Software.md#readme)
diff --git a/170_supply_chain_security/cosign/cosign.demo b/170_supply_chain_security/cosign/cosign.demo
@@ -0,0 +1,31 @@
+# Cosign
+
+# Login for packages
+docker login
+
+# Build container image
+cat <<EOF >Dockerfile
+FROM ubuntu:22.04
+EOF
+docker build --tag ghcr.io/nicholasdille/container-slides/ubuntu:22.04 --push .
+
+# Check package
+https://github.com/users/nicholasdille/packages/container/package/container-slides%2Fubuntu
+
+# Keyless signature
+COSIGN_EXPERIMENTAL=1 cosign sign ghcr.io/nicholasdille/container-slides/ubuntu:22.04
+
+# Check manifest
+regctl manifest get ghcr.io/nicholasdille/container-slides/ubuntu:22.04
+
+# View signature
+DIGEST=???
+regctl manifest get ghcr.io/nicholasdille/container-slides/ubuntu:sha256-${DIGEST}.sig
+
+# Check signature
+https://search.sigstore.dev/
+
+# Verify signature
+EMAIL=???
+COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/nicholasdille/container-slides/ubuntu:22.04 --certificate-oidc-issuer https://github.com/login/oauth --cer
+tificate-identity ${EMAIL}
diff --git a/170_supply_chain_security/cosign/slides.md b/170_supply_chain_security/cosign/slides.md
@@ -40,7 +40,7 @@ Check the supply chain of required tools
 
 ---
 
-## Demo
+## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/170_supply_chain_security/cosign/cosign.demo "cosign.demo")
 
 Sign a container image
 
diff --git a/170_supply_chain_security/cosign/traditional.md b/170_supply_chain_security/cosign/traditional.md
@@ -0,0 +1,7 @@
+## Traditional signatures
+
+XXX PGP
+
+XXX distribution of public key
+
+XXX web of trust
diff --git a/170_supply_chain_security/sbom-operator/slides.md b/170_supply_chain_security/sbom-operator/slides.md
@@ -18,7 +18,7 @@ Prometheus can scrape <i class="fa fa-circle-4"></i> them and Grafana visualize
 
 ---
 
-## Demo
+## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/170_supply_chain_security/sbom-operator/sbom.demo "sbom.demo")
 
 See SBoMs in [git](https://github.com/nicholasdille/sbom-store)
 
diff --git a/170_supply_chain_security/sbom/formats.demo b/170_supply_chain_security/sbom/formats.demo
@@ -0,0 +1,10 @@
+# SBOM formats
+
+# CycloneDX
+syft ubuntu:22.04 --output cyclonedx-json --file ubuntu-22.04.cyclonedx.json
+
+# SPDX
+syft ubuntu:22.04 --output spdx-json --file ubuntu-22.04.spdx.json
+
+# Syft
+syft ubuntu:22.04 --output syft-json --file ubuntu-22.04.syft.json
diff --git a/170_supply_chain_security/sbom/sarif.md b/170_supply_chain_security/sbom/sarif.md
@@ -0,0 +1,13 @@
+## SARIF
+
+OASIS [](https://www.oasis-open.org/) Static Analysis Results Interchange Format (SARIF) [](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif)
+
+XXX junit?
+
+---
+
+## Demo: SARIF
+
+Generate SARIF report using `trivy`
+
+Generate SARIF report using `grype`
diff --git a/170_supply_chain_security/sbom/slides.md b/170_supply_chain_security/sbom/slides.md
@@ -44,44 +44,52 @@ docker-setup --tags=sbom plan
 
 ---
 
-## Demo
+## Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/170_supply_chain_security/sbom/sbom.demo "sbom.demo")
 
 SBoM generation
 
 SBoM scanning
 
 ---
 
-## Distribution of SBOMs
+## SBOM Formats
 
-<i class="fa-duotone fa-sparkles fa-6x"></i> <!-- .element: style="float: right;" -->
+### CycloneDX
 
-No standard available yet
+Metadata
 
-### What is out there
+Components
 
-Download from website
+### SPDX
 
-Release asset
+Packages and files
 
-Separate container image with same digest and suffix
+Relationships (what is found where)
 
-Manifest list (BuiltKit)
+### syft
+
+Metadata (source, distro, descriptor)
 
-OCI 1.1 referrer
+Artifacts and files
+
+### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/170_supply_chain_security/sbom/formats.demo "formats.demo")
 
 ---
 
-## SARIF
+## Distribution of SBOMs
 
-OASIS [](https://www.oasis-open.org/) Static Analysis Results Interchange Format (SARIF) [](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif)
+<i class="fa-duotone fa-sparkles fa-6x"></i> <!-- .element: style="float: right;" -->
 
-XXX junit?
+No standard available yet
 
----
+### What is out there
+
+Download from website
 
-## Demo: SARIF
+Release asset
 
-Generate SARIF report using `trivy`
+Separate container image with same digest and suffix
+
+Manifest list (BuiltKit)
 
-Generate SARIF report using `grype`
+OCI 1.1 referrer
diff --git a/170_supply_chain_security/vulnerabilities.md b/170_supply_chain_security/vulnerabilities.md
@@ -1,6 +1,6 @@
 ## Vulnerabilities
 
-![](images/tenor-this-is-fine-gif-24177057.gif) <!-- .element: style="float: right; width: 40%;" -->
+![](images/tenor-this-is-fine-gif-24177057.gif) <!-- .element: style="float: right; width: 35%;" -->
 
 Tracked by<br/>*Common Vulnerabilities and Exposures* (CVE) [](https://de.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
 
@@ -11,6 +11,10 @@ Scored by<br/>*Common Vulnerability Scoring System* (CVSS) [](https://nvd.nist.g
 - Scale 0-10
 - Low, medium, high, critical
 
-Also scored by<br/>Exploit Prediction Scoring System (EPSS) [](https://www.first.org/epss/)
+Also scored by<br/>*Exploit Prediction Scoring System* (EPSS) [](https://www.first.org/epss/)
 
-Explore dependencies using https://deps.dev/
+### Understand your dependencies [](https://deps.dev/)
+
+How many indirect dependencies are there?
+
+How many unfixed vulnerabilities are there?
diff --git a/2023-05-17_heise-Webinar-KubernetesSupplyChainSecurity.html b/2023-05-17_heise-Webinar-KubernetesSupplyChainSecurity.html
