Merge pull request #13 from scality/feature/add-source-iso-for-image-sbom

Feature/add source iso for image SBOM

Author: m4nch0t

README.md

@@ -9,16 +9,16 @@ using [Syft](https://github.com/anchore/syft).
 ## Basic Usage
 
 ```yaml
-- uses: scality/sbom@v1
+- uses: scality/sbom@v1.2.2
   with:
     target: ./
 ```
 
 This will create SBOM result files based on type, ex: 
 
 - repo_sbom_v1.1.0-4-gd6cdf1f.json
-- repo_sbom_v1.2.0.json
-- image_nginx_latest.json
+- repo_sbom_v1.2.2.json
+- image_myiso.iso_nginx_latest.json
 - iso_myiso.iso_128.json
 
 If you want to scan a repository, you have to checkout it with `fetch-tags`.
@@ -39,9 +39,9 @@ The main [SBOM action](action.yml), responsible for generating SBOMs.
 
 | Parameter                   | Description                                                                           | Default                |
 | --------------------------- | ------------------------------------------------------------------------------------- | ---------------------- |
-| `grype-version`             | Grype version to use                                                                  | 0.77.2                 |
-| `sfyt-version`              | Syft version to use                                                                   | 1.2.0                  |
-| `trivy-version`             | Trivy version to use                                                                  | 0.50.1                 |
+| `grype-version`             | Grype version to use                                                                  | 0.77.3                 |
+| `sfyt-version`              | Syft version to use                                                                   | 1.3.0                  |
+| `trivy-version`             | Trivy version to use                                                                  | 0.51.1                 |
 | `target`                    | A file/directory/iso on the filesystem to scan.                                       | \<current directory>   |
 | `format`                    | Format of SBOM file.                                                                  | cyclonedx-json         |
 | `name`                      | Name of the target, if you need to overwrite the detected.                            |                        |
@@ -57,7 +57,7 @@ The main [SBOM action](action.yml), responsible for generating SBOMs.
 Use the `path` parameter, relative to the repository root:
 
 ```yaml
-- uses: scality/sbom@v1
+- uses: scality/sbom@v1.2.2
   with:
     target: ./artifacts
     format: cyclonedx-json
@@ -69,7 +69,7 @@ Images created with Oras for example have custom mediatype and are not usable
 by Skopeo, they have to be excluded. 
 
 ```yaml
-- uses: scality/sbom@v1
+- uses: scality/sbom@v1.2.2
   with:
     target: ./images
     exclude_mediatypes: "application/grafana-dashboard+json text/nginx-conf-template"
@@ -102,7 +102,7 @@ jobs:
           fetch-tags: true
           path: ${{ env.BASE_PATH }}/repo/myrepo
       - name: Generate sbom for repository
-        uses: scality/sbom@v1.2.0
+        uses: scality/sbom@v1.2.2
         with:
           target: ${{ env.BASE_PATH }}/repo/myrepo
           output-dir: ${{ env.SBOM_PATH }}
@@ -124,10 +124,10 @@ jobs:
           echo "Downloading my.iso from $ARTIFACTS_URL"
           curl -sSfL -o ${{ env.BASE_PATH }}/iso/my.iso -u $ARTIFACTS_USER:$ARTIFACTS_PASSWORD $ARTIFACTS_URL/my.iso
       - name: Generate sbom for ISO
-        uses: scality/sbom@v1.2.0
+        uses: scality/sbom@v1.2.2
         with:
           target: ${{ env.BASE_PATH }}/iso/my.iso
-          version: "1.0.0"  # Make sure to replace this with the actual ISO version
+          version: "1.0.0"  # Make sure to replace this with the actual ISO version to avoid undefined in you SBOM
           output-dir: ${{ env.SBOM_PATH }}
       - name: Generate archive
         shell: bash
@@ -151,6 +151,77 @@ jobs:
           source: artifacts
 ```
 
+## CycloneDX metadata
+
+In generated SBOM you will find this metadata:
+
+- for images contains in ISO:
+
+```json
+{
+    "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.5",
+    "serialNumber": "urn:uuid:984d102d-0992-4dae-be80-ba551bc2079a",
+    "version": 1,
+    "metadata": {
+        "timestamp": "2024-05-07T09:43:34Z",
+        "tools": {
+            "components": [
+                {
+                    "type": "application",
+                    "author": "anchore",
+                    "name": "syft",
+                    "version": "1.3.0"
+                }
+            ]
+        },
+        "component": {
+            "bom-ref": "1b58496ca93cc57d",
+            "type": "container",
+            "name": "my.iso:alpine", // composed by iso_source_name:image_name
+            "version": "1.1.1" // image_version
+        }
+    },
+...
+```
+
+- for ISO:
+
+```json
+{
+    "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.5",
+    "serialNumber": "urn:uuid:db2bc22b-a5e5-49a9-9d02-61a18480ead4",
+    "version": 1,
+    "metadata": {
+        "timestamp": "2024-05-07T09:41:46Z",
+        "tools": {
+            "components": [
+                {
+                    "type": "application",
+                    "author": "anchore",
+                    "name": "syft",
+                    "version": "1.3.0"
+                }
+            ]
+        },
+        "component": {
+            "bom-ref": "4a057776eee09e2f",
+            "type": "file",
+            "name": "my.iso", // ISO basename calculated by target var
+            "version": "undefined" // for ISO if version is not provided, you will get undefined
+        }
+    }
+}
+```
+
+- 
+## Know issue
+
+- scanning a repo present in `/tmp` will not work. Syft doesn't use right catalogers in this path. An issue is open [here](https://github.com/anchore/syft/issues/2847)
+
 ## References
 
 HTML template for **Grype** results visualisation was slightly modified from [Grype Contrib](https://github.com/opt-nc/grype-contribs).

TODO.md

@@ -0,0 +1,14 @@
+# SBOM
+
+Future releases will include this features.
+
+### Todo
+
+- [ ] Add detection of image directory  
+  - [ ] add detection in detect.py
+  - [ ] switch to convert.py if necessary
+  - [ ] migrate some code for image scanning in main.py to another module for cleanning code
+
+### In Progress
+
+### Done ✓

src/lib/detect.py

@@ -16,13 +16,13 @@ def is_git_repo(target):
     except exc.InvalidGitRepositoryError:
         return False
 
-def get_repo_name():
+def get_repo_name(target):
     """
     ## Get the name of a git repository.
     ### Args:
         target (str): The path to the git repository.
     """
-    name = Repo(".").remotes.origin.url.split(".git")[0].split("/")[-1]
+    name = Repo(target).remotes.origin.url.split(".git")[0].split("/")[-1]
     return name
 
 def get_repo_version(target):
@@ -55,9 +55,10 @@ def detect_target_type(target):
     elif os.path.isdir(target):
         target_type = "directory"
         print("Detected directory.")
+        print(f"Provided target: {target}")
         if is_git_repo(target):
             version = get_repo_version(target)
-            name = get_repo_name()
+            name = get_repo_name(target)
             target_type = "git"
             print(f"Detected git repository: {name}, version: {version}")
         else:

src/lib/install.py

@@ -7,7 +7,7 @@
 from pyunpack import Archive
 
 # Define the scanners and their versions
-scanners = {"syft": "1.2.0", "grype": "0.77.2", "trivy": "0.50.1"}
+scanners = {"syft": "1.3.0", "grype": "0.77.3", "trivy": "0.51.1"}
 
 # Define the base URLs for the scanners
 ANCHORE_BASE_URL = (

src/lib/scan.py

@@ -26,7 +26,7 @@ def __init__(
         self.output_file_prefix = output_file_prefix
         self.output_file = (
             f"{self.sbom_format}={self.output_dir}/"
-            f"{self.output_file_prefix}_{self.name}_{self.version}.json"
+            f"{self.output_file_prefix}_{self.name.replace(':', '_')}_{self.version}.json"
         )
 
     def execute(self):

src/main.py

@@ -133,7 +133,7 @@
                             detect_image_origin(subdir_path)
                             # get source iso basename
                             source_iso = os.path.basename(extracted_dir)
-                            IMAGE_FILE_PREFIX=f"{OUTPUT_FILE_PREFIX}_{source_iso}"
+                            IMAGE_NAME_COMPLETE=f"{source_iso}:{image_name}"
                             EXCLUDED = check_mediatype(
                                 subdir_path, excluded_mediatypes
                             )
@@ -145,10 +145,10 @@
                                 scan_command = ScanCommand(
                                     target=f"{CONVERT_DIR}/{image_name}_{image_version}",
                                     target_type="oci-dir",
-                                    name=image_name,
+                                    name=IMAGE_NAME_COMPLETE,
                                     version=image_version,
                                     output_dir=OUTPUT_DIR,
-                                    output_file_prefix=IMAGE_FILE_PREFIX,
+                                    output_file_prefix=OUTPUT_FILE_PREFIX,
                                     sbom_format=SBOM_FORMAT,
                                 )
                                 scan_command.execute()
@@ -157,10 +157,10 @@
                                 scan_command = ScanCommand(
                                     target=f"{subdir_path}",
                                     target_type="dir",
-                                    name=image_name,
+                                    name=IMAGE_NAME_COMPLETE,
                                     version=image_version,
                                     output_dir=OUTPUT_DIR,
-                                    output_file_prefix=IMAGE_FILE_PREFIX,
+                                    output_file_prefix=OUTPUT_FILE_PREFIX,
                                     sbom_format=SBOM_FORMAT,
                                 )
                                 scan_command.execute()