-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Cyclonedx as a predicate type #82
Comments
The above is an example proposed predicate type documentation. |
Having this information (sbom/vex) in the intoto attestation format is particular interesting when combined with cosign attestations + a policy engine like kyverno which will allow verification of container images before they are admitted to a runtime environment. Eg - https://github.com/JimBugwadia/image-verification-policy/blob/main/check-sbom.yaml cc: @dlorenc + @sigstore team, @JimBugwadia + @kyverno team |
Some related CycloneDX BOM examples - CycloneDX SBOM - CycloneDX VEX - CycloneDX SaaSBOM - Example use of such attestations - Reject images which contain vuln. with score greater than 8 Reject images which contain a specific component and version https://github.com/JimBugwadia/image-verification-policy/blob/main/check-sbom.yaml |
Let me or @coderpatros know if there are any CycloneDX questions. Looking forward to this enhancement! |
@stevespringett not sure if the CycloneDX team has a preference on what the predicate type should look like - For eg The CycloneDX format has a mandatory specVersion field, so we may choose to omit the version number from the predicateType URI to avoid confusion. Similarly not sure if you have a preference for different predicate types for different capabilities that CycloneDX offers or if the generic predicate type format looks good. In terms of in-toto support I think it is majorly just documenting the predicate type and the predicate payload format for a given type. There is no registration process per https://github.com/in-toto/attestation/tree/main/spec#predicate so we can also just document these on the cyclonedx side so that users have a consistent way of identifying cyclonedx attestations. |
I would recommend a generic predicate type, not specific to the CycloneDX capabilities. The reality is that it's entirely possible to construct a BOM with ALL capabilities.
|
Strong +1 here. This is of great interest to those needing to comply with the White House executive order on cybersecurity which CycloneDX exceeds. |
PRs welcome! Or this can be documented on the CycloneDX side and just have a pointer in this repo. There is no formal registration necessary. |
What's needed from an in-toto side to "support" this? If there's no formal registration, is it just a mutual agreement as to the predicateType URI? |
From a specification point of view, all that is needed is a document describing unambiguously how to interpret the attestation of that predicateType: how to parse the predicate (linking to the CycloneDX spec), how the subject relates to the predicate, etc. It will probably be short. This document SHOULD be served from that URI (example: https://slsa.dev/provenance/v0.2). Then you need tools to actually implement that. If you're using the in-toto binary, I think in-toto-golang is where a lot of development has been happening, but I'm less familiar with this. Does that help? |
Happy to submit a PR to document this in the spec first. |
Happy to collaborate, @samj1912 |
Hi, I'd like to know what the plan is. I tend to think that syft should use whatever in-toto defines and should be fixed accordingly rather than use its own value but the fact that the in-toto definition seems to have been added pretty casually without much discussion and any formal resolution of this issue isn't very comforting. Thanks |
We've discussed this in the CycloneDX project and have settled on the use of |
Thanks for the response. I understand and I'll be happy to submit a PR to update in-toto-golang accordingly. It would be best if the CycloneDX project closed the issue with your decision. We can then close this one and update all projects accordingly. |
This is in line with the decision from the CycloneDX project: in-toto/attestation#82 (comment) This resolves an incompatibility between cosign and syft. Signed-off-by: Arnaud J Le Hors <[email protected]>
@samj1912 can you open a PR for this proposed predicate type? The format for a predicate spec can be found here: https://github.com/in-toto/ITE/blob/master/ITE/9/README.adoc. Also, #111 and #112 can be used for reference. |
This commit adds a predicate specification for CycloneDX using the example specification from issue in-toto#82. The motivation for doing this is only to offer help with getting this into in-toto, in case the original author currently does not have time. Co-authored-by: samj1912 <[email protected]> Resolves: in-toto#82 Signed-off-by: Daniel Bevenius <[email protected]>
This commit adds a predicate specification for CycloneDX using the example specification from issue in-toto#82. The motivation for doing this is only to offer help with getting this into in-toto, in case the original author currently does not have time. Co-authored-by: samj1912 <[email protected]> Resolves: in-toto#82 Signed-off-by: Daniel Bevenius <[email protected]>
intoto attestations currently document the SPDX predicate type. SBOMs and BOMs in general are a diverse space as of now and CycloneDX is the other leading industry alternative to SPDX for SBOMs and recognized by NTIA as a recognized SBOM format.
CycloneDX supports other capabilities apart from just SBOMs. A particularly interesting one is the VEX capability which introduce a standard format to attach vulnerability information.
intoto should document and introduce well defined predicate types for the various CycloneDX BOM formats (not just SBOM).
cc: @stevespringett @coderpatros
The text was updated successfully, but these errors were encountered: