Add attestations for binaries compiled from source #669
Conversation
LaurentGoderre
force-pushed
the
more-sbom-2
branch
from
fa3a861 to
9e6fe95
Compare
LaurentGoderre
force-pushed
the
more-sbom-2
branch
from
4be259a to
9955262
Compare
LaurentGoderre
force-pushed
the
more-sbom-2
branch
from
9955262 to
69e2fed
Compare
There was a problem hiding this comment.
Previously left in draft as @whalelines beat me to it.
A couple concerns, both related to form and substance:
- Attributing the installed openssl/erlang to packages seems incorrect to me; when sourced from a distribution even the "same" version can be wildly different, as patching upstream software (and having drastically different opinions at times) is the name of the game. It seems misleading at best, and dangerous (if scanners are blindly trusted) at worst to do so.
- The boilerplate is pretty long/brutal, and it seems like 99% of this should be the same across any DOI. Could this be factored into a helper/generic function of bashbrew, such that this is both DRY and any knowledge of how to properly construct these JSON segments is centralized in once place/updated uniformly?
- It feels like a
PACKAGE-MANAGERref may not be most correct here in any case; since there is not a package manager involved. While a newgeneric/doinamespace could be constructed and a matching package feed used, that will require scanners to have knowledge of both. Knowing that, maybe anOTHERreference would be more appropriate, as it would make it clear that a "special" DOI advisory feed is in use? (ref: https://spdx.github.io/spdx-spec/v2.3/package-information/#7213-examples)
|
@neersighted I was thinking of making into some kind of modular template but didn't know if was to be part od the first pass or after |
|
I think we're going to have a really hard time convincing maintainers who aren't us to add and maintain files like this (even for us, hand maintaining SPDX files feels really dangerous and error prone 😅). Is there some way we could supplement the scanner to learn how to recognize the versions of the software in various official images? Then we could centralize logic like detecting |
|
@LaurentGoderre is working on a template for these SPDX files to make it easier for everyone to incorporate and we can continue to work on tooling to make things easier for maintainers until the benefits you mention, e.g., proper CVE identification and exclusion, and others outweigh what should be the one-time effort to add these. That said, it's likely we will have to assist with that for some maintainers, i.e., provide PRs to the upstream Dockerfiles. |
LaurentGoderre
force-pushed
the
more-sbom-2
branch
2 times, most recently
from
b872f06 to
5619abb
Compare
|
Depends on docker-library/bashbrew#85 |
LaurentGoderre
force-pushed
the
more-sbom-2
branch
from
5619abb to
fbcfd9a
Compare
Changes: - docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2 - docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom - docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source - docker-library/rabbitmq@215db22: fixup - docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
Changes: - docker-library/rabbitmq@b2387a8: Merge pull request docker-library/rabbitmq#670 from LaurentGoderre/remove-heredoc - docker-library/rabbitmq@6e58700: Stop using HEREDOC for SBOM attestation because it breaks the DOI builds - docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2 - docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom - docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source - docker-library/rabbitmq@215db22: fixup - docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
No description provided.