add SBOM to images (#730)

* add SBOM to images * attach attestation using cosign * add container sbom verification to README.md * add sbom attestation to release pipeline * add trivy scan to release
fkie-cad · Dec 17, 2024 · ca065f9 · ca065f9
1 parent e668b17
commit ca065f9
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 17 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -140,6 +140,27 @@ jobs:
           tags: |
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Create SBOM of container image
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
+          artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
+          output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
+
+      - name: Sign image with a key and add sbom attestation
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
       # To avoid the trivy-db becoming outdated, we save the cache for one day
       - name: Get date
         id: date
@@ -167,16 +188,3 @@ jobs:
       # So we need to change the permissions before caching the database.
       - name: Change permissions for trivy.db
         run: sudo chmod 0644 ./cache/db/trivy.db
-
-      - name: Install Cosign
-        uses: sigstore/[email protected]
-        with:
-          cosign-release: 'v2.4.1'
-
-      - name: Sign image with a key
-        run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml
@@ -96,10 +96,46 @@ jobs:
         with:
           cosign-release: 'v2.4.1'
 
-      - name: Sign image with a key
+      - name: Create SBOM of container image
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
+          artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
+          output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
+
+      - name: Sign image with a key and add sbom attestation
         run: |
           cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
         env:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
+      # To avoid the trivy-db becoming outdated, we save the cache for one day
+      - name: Get date
+        id: date
+        run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
+
+      - name: Restore trivy cache
+        uses: actions/cache@v4
+        with:
+          path: cache/db
+          key: trivy-cache-${{ steps.date.outputs.date }}
+          restore-keys:
+            trivy-cache-
+
+      - name: Scan image using Trivy
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_CACHE_DIR: ./cache
+        with:
+          scan-type: image
+          image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
+          trivy-config: trivy.yaml
+
+      # Trivy-db uses `0600` permissions.
+      # But `action/cache` use `runner` user by default
+      # So we need to change the permissions before caching the database.
+      - name: Change permissions for trivy.db
+        run: sudo chmod 0644 ./cache/db/trivy.db
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,7 +31,8 @@ the list is now fixed inside the packaged logprep
 * remove `tldextract` dependency
 * remove `urlextract` dependency
 * fix wrong documentation for `timestamp_differ`
-* add container signatures to image build inside ci pipeline
+* add container signatures to images build in ci pipeline
+* add sbom to images build in ci pipeline
 
 ### Bugfix
 

diff --git a/README.md b/README.md
@@ -32,6 +32,7 @@ allowing further applications besides log handling.
 - [Event Generation](https://logprep.readthedocs.io/en/latest/user_manual/execution.html#event-generation)
 - [Documentation](https://logprep.readthedocs.io/en/latest)
 - [Container signatures](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-signatures)
+- [Container SBOM](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-sbom)
 - [Contributing](https://github.com/fkie-cad/Logprep/blob/main/CONTRIBUTING.md)
 - [License](https://github.com/fkie-cad/Logprep/blob/main/LICENSE)
 - [Changelog](https://github.com/fkie-cad/Logprep/blob/main/CHANGELOG.md)
@@ -243,7 +244,8 @@ A HTML documentation can be then found in `doc/_build/html/index.html`.
 
 ## Container signatures
 
-From release 15 on, Logprep containers are signed using the cosign tool.
+From release 15 on, Logprep containers are signed using the
+[cosign](https://github.com/sigstore/cosign) tool.
 To verify the container, you can copy the following public key into a file
 `logprep.pub`:
 
@@ -257,5 +259,43 @@ kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA==
 And use it to verify the signature:
 
 ```
-cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest
+cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:py3.11-latest
+```
+
+The output should look like:
+
+```
+Verification for ghcr.io/fkie-cad/logprep:py3.11-latest --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+
+[{"critical":{"identity":{"docker-reference":"ghcr.io/fkie-cad/logprep"}, ...
+```
+
+## Container SBOM
+
+From release 15 on, Logprep container images are shipped with a generated sbom.
+To verify the attestation and extract the SBOM use
+[cosign](https://github.com/sigstore/cosign) with:
+
+```
+cosign verify-attestation --key logprep.pub ghcr.io/fkie-cad/logprep:py3.11-latest | jq '.payload | @base64d | fromjson | .predicate | .Data | fromjson' > sbom.json
+```
+
+The output should look like:
+
+```
+Verification for ghcr.io/fkie-cad/logprep:py3.11-latest --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+Finally, you can view the extracted sbom with:
+
+```
+cat sbom.json | jq
 ```