Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate and attach a SBOM to container image #75

Closed
lbroudoux opened this issue Dec 3, 2024 · 1 comment
Closed

Generate and attach a SBOM to container image #75

lbroudoux opened this issue Dec 3, 2024 · 1 comment
Assignees
@lbroudoux
Labels
kind/task
Milestone
0.6.1

Comments

@lbroudoux
Copy link
Member

To integrate into a secured software supply chain (and be good cloud citizens), we must add SBOM information to the container images we produce.

For an easy start, we should consider adding SBOM information produced during the docker buildx build steps as suggested here: https://docs.docker.com/build/metadata/attestations/sbom/

Then later on, we could study and envision adding more global SBOM information as the one generated by https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md
@lbroudoux lbroudoux self-assigned this Dec 3, 2024
@lbroudoux lbroudoux added this to the 0.7.0 milestone Dec 3, 2024
lbroudoux added a commit that referenced this issue Dec 3, 2024
@lbroudoux
ci: #75 Generate and attach SBOM to container image
cb1ca49 
Signed-off-by: Laurent Broudoux <[email protected]>
@lbroudoux
Copy link
Member Author

Now done!

Just issue those commands to get the SBOM:

$ docker rmi quay.io/microcks/microcks-postman-runtime:nightly && docker pull quay.io/microcks/microcks-postman-runtime:nightly

then

$ docker manifest inspect --verbose quay.io/microcks/microcks-postman-runtime:nightly | jq .
--- OUTPUT --- 
[
  {
    "Ref": "quay.io/microcks/microcks-postman-runtime:nightly@sha256:11c951599ed1bf649abbc2b23ae2730a4e1ef6ad9537a7f10df39b6546bf8429",
    "Descriptor": {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:11c951599ed1bf649abbc2b23ae2730a4e1ef6ad9537a7f10df39b6546bf8429",
      "size": 2005,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    "Raw": "ewogICJzY2hlbWFWZXJzaW9uIjogMiwKICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubWFuaWZlc3QudjEranNvbiIsCiAgImNvbmZpZyI6IHsKICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5jb25maWcudjEranNvbiIsCiAgICAiZGlnZXN0IjogInNoYTI1Njo2YWQ3MTk2N2IzZmU3MTdiYTE4NjU3NDYxNGUzZDM0MjU1NjUzMzVkMDZmOWQzZTI3YTgyNGJjODA2M2Q1NmYwIiwKICAgICJzaXplIjogMTE0NTAKICB9LAogICJsYXllcnMiOiBbCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjBkNGYyMzkwNTVkMDYzNzUwZGRkZWI0YWU4NGIyM2QwYTcwOGNlNzZiZTMxNjdmOTNkMmJhMmJhNzBiNTA1NDciLAogICAgICAic2l6ZSI6IDM5MDgyNDY0CiAgICB9LAogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubGF5ZXIudjEudGFyK2d6aXAiLAogICAgICAiZGlnZXN0IjogInNoYTI1NjpjNGVjNjM1NzEzNDgwMmQxMWIzOTZjNjFiOTViZGIwZDZlOTA4MjA5OTRhYzRhNTA1MWYyZmQ5ZTdkZGY2NWQzIiwKICAgICAgInNpemUiOiAyNTU3MTIyMAogICAgfSwKICAgIHsKICAgICAgIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLmxheWVyLnYxLnRhcitnemlwIiwKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6NjU0YjFmNjkwNWViNTFmMDEyNDU0MmM4MDE5OWU1ZjdhZWZjYjgyMTY4ZjRmZjFkZjEyMTNkY2JmMzA4YzYxNiIsCiAgICAgICJzaXplIjogOTMKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OmU5NGJmN2RlNzdiMmZiOWQ4ZWU5M2I2ZDVlODMwNGE5MDdlODYxMjIyMjQyZTQ0OWNlN2JjZmU3OGE0ODA0YmMiLAogICAgICAic2l6ZSI6IDQ4NjUKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjQxMTlmNGVhNmNmZDBhYmEyYjcxZmVjNTVhZWMwYTc0YTFhMjZhZGFmZTlhNGY4Y2JhNjFhZWQyZTBkOTMyZWYiLAogICAgICAic2l6ZSI6IDMxNQogICAgfSwKICAgIHsKICAgICAgIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLmxheWVyLnYxLnRhcitnemlwIiwKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6ZmJkNjQyMDI3ZjljODAyM2YwNWI5ZDY1MzZhMmU3MTM0Y2YyMjhjMmM5NTc3ZTg1ZGE1NDAwZjQzNGJlYTc2NyIsCiAgICAgICJzaXplIjogMzc4ODIKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjBkNGYzZmQ0MjA2YmE1MjljMzJjMTdhODdmYmNhY2Q1NDhiNmJlNzk0ZmEzYmRmZjMxZGM0MzQxNGVmM2M0MjYiLAogICAgICAic2l6ZSI6IDE2NjgKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjE3NGY4MDkwMmJlYzNkMjFhOTYyMjBkOGYxZDdhZmY2MjM4YTU5NjVkZDZlZGY2OTY5YmYxOTc2NDg4NDJiYTEiLAogICAgICAic2l6ZSI6IDIzMzA1NzA3CiAgICB9LAogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubGF5ZXIudjEudGFyK2d6aXAiLAogICAgICAiZGlnZXN0IjogInNoYTI1Njo3ZjQwZWFiMjQ1MDg3MTk0ZGYyODhiMmU2OGYxMTVjYTNkN2NiZTQ4ZDQwYzllYTYyOWM0M2Q5M2ZhMjA5NzE0IiwKICAgICAgInNpemUiOiAxMTc2NjkwNwogICAgfQogIF0KfQ==",
    "OCIManifest": {
      "schemaVersion": 2,
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "digest": "sha256:6ad71967b3fe717ba186574614e3d3425565335d06f9d3e27a824bc8063d56f0",
        "size": 11450
      },
      "layers": [
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:0d4f239055d063750dddeb4ae84b23d0a708ce76be3167f93d2ba2ba70b50547",
          "size": 39082464
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:c4ec6357134802d11b396c61b95bdb0d6e90820994ac4a5051f2fd9e7ddf65d3",
          "size": 25571220
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:654b1f6905eb51f0124542c80199e5f7aefcb82168f4ff1df1213dcbf308c616",
          "size": 93
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:e94bf7de77b2fb9d8ee93b6d5e8304a907e861222242e449ce7bcfe78a4804bc",
          "size": 4865
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:4119f4ea6cfd0aba2b71fec55aec0a74a1a26adafe9a4f8cba61aed2e0d932ef",
          "size": 315
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:fbd642027f9c8023f05b9d6536a2e7134cf228c2c9577e85da5400f434bea767",
          "size": 37882
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:0d4f3fd4206ba529c32c17a87fbcacd548b6be794fa3bdff31dc43414ef3c426",
          "size": 1668
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:174f80902bec3d21a96220d8f1d7aff6238a5965dd6edf6969bf197648842ba1",
          "size": 23305707
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:7f40eab245087194df288b2e68f115ca3d7cbe48d40c9ea629c43d93fa209714",
          "size": 11766907
        }
      ]
    }
  },
  {
    "Ref": "quay.io/microcks/microcks-postman-runtime:nightly@sha256:7d1283e2dac151f6231138e83d4cfa61b505149cc9099a948a1342e1812fad6a",
    "Descriptor": {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:7d1283e2dac151f6231138e83d4cfa61b505149cc9099a948a1342e1812fad6a",
      "size": 2005,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    "Raw": "ewogICJzY2hlbWFWZXJzaW9uIjogMiwKICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubWFuaWZlc3QudjEranNvbiIsCiAgImNvbmZpZyI6IHsKICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5jb25maWcudjEranNvbiIsCiAgICAiZGlnZXN0IjogInNoYTI1NjowZmJiZDUwNzJjMzQ1OWE2NmExOTViMDU0NTY5NTVkZDEwMDMyZDk3M2JlMzRlZDkyZjI2MTNkNmI4ZDMyZTdlIiwKICAgICJzaXplIjogMTE0NTMKICB9LAogICJsYXllcnMiOiBbCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OmFiZDllY2NiZWY2MTI3OWE5ZTFmMTk2YjM5OWU1ZDYzMzZmMzA1MTllYjUwNjNiMmIwZmEzMGJlOWU0ZTg0NWQiLAogICAgICAic2l6ZSI6IDM3MzM3MTYyCiAgICB9LAogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubGF5ZXIudjEudGFyK2d6aXAiLAogICAgICAiZGlnZXN0IjogInNoYTI1NjpjMjliMjRhYTkxYWZhM2JkN2Q5N2M3NWYwMTc1NmU0MmQwMTg0OTAwZDdhN2ZmYzRlMDI1MDI5OTY5NWExYTA3IiwKICAgICAgInNpemUiOiAyNDk2MTg2NwogICAgfSwKICAgIHsKICAgICAgIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLmxheWVyLnYxLnRhcitnemlwIiwKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6N2EwOTA1M2ZhNzVmNGFkYTNjODVjZTc4MDIzNDNjYmU1ZDQxOTY3NGRmMjM2Yjc5Y2E0YTM0NjAxNjY2NzM1YSIsCiAgICAgICJzaXplIjogOTMKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjkzYjBmYWU4OTQ0NTIzMTI2N2RiZDM3NzAxNzlhYzhjOWY0MzcyMjNlMjhmYzNkOWIwZjBmN2JhNzNlMjNmZGIiLAogICAgICAic2l6ZSI6IDQ4NjUKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OmMzZmIzOTQ3NTcyNjMzODJhMjk4ZmVmMzgyY2VhOGVhMzFhNGIxOGJjYmZkZjFiMzBkZmEzOTcxMzEwMGU4NjIiLAogICAgICAic2l6ZSI6IDMxNAogICAgfSwKICAgIHsKICAgICAgIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLmxheWVyLnYxLnRhcitnemlwIiwKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6ZTYzNzIyYzQwYjJkYWY2MWQzYTIyODgzYjY2MGRlY2NhZTc2OTYwYjVlNjg4OGFkMzQ4OTRhN2Y3NDc4MDBjOSIsCiAgICAgICJzaXplIjogMzc4ODIKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjRjNDU4NzVkYjc3YTA0OTAwNmYwZWQ1MWZiMjVkOTM0YTYzZDI0ZTk5YzUyNjlmODM1N2U3OTU2ZTZmNzRiNmIiLAogICAgICAic2l6ZSI6IDE2NjgKICAgIH0sCiAgICB7CiAgICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjZjMGJiNTRmZDkyMmIyYWRiMWNkZjNkNTUwYzUyZjNiYmJlYTE3Mzk3NjhhNTYxZWM2YWI0NDgxYzVkNjI2YTMiLAogICAgICAic2l6ZSI6IDIzMzEwNDAyCiAgICB9LAogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubGF5ZXIudjEudGFyK2d6aXAiLAogICAgICAiZGlnZXN0IjogInNoYTI1NjoxOGI5YzEwMWJiYmM4YTk1ZTgwNDQzZjFmNWE5NDYzMmMyZWE5MmY3OTllODZjOWIzNzYyOWRmYTkzNjg5NWQ0IiwKICAgICAgInNpemUiOiAxMTc3MjI5NAogICAgfQogIF0KfQ==",
    "OCIManifest": {
      "schemaVersion": 2,
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "digest": "sha256:0fbbd5072c3459a66a195b05456955dd10032d973be34ed92f2613d6b8d32e7e",
        "size": 11453
      },
      "layers": [
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:abd9eccbef61279a9e1f196b399e5d6336f30519eb5063b2b0fa30be9e4e845d",
          "size": 37337162
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:c29b24aa91afa3bd7d97c75f01756e42d0184900d7a7ffc4e0250299695a1a07",
          "size": 24961867
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:7a09053fa75f4ada3c85ce7802343cbe5d419674df236b79ca4a34601666735a",
          "size": 93
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:93b0fae89445231267dbd3770179ac8c9f437223e28fc3d9b0f0f7ba73e23fdb",
          "size": 4865
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:c3fb394757263382a298fef382cea8ea31a4b18bcbfdf1b30dfa39713100e862",
          "size": 314
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:e63722c40b2daf61d3a22883b660deccae76960b5e6888ad34894a7f747800c9",
          "size": 37882
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:4c45875db77a049006f0ed51fb25d934a63d24e99c5269f8357e7956e6f74b6b",
          "size": 1668
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:6c0bb54fd922b2adb1cdf3d550c52f3bbbea1739768a561ec6ab4481c5d626a3",
          "size": 23310402
        },
        {
          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
          "digest": "sha256:18b9c101bbbc8a95e80443f1f5a94632c2ea92f799e86c9b37629dfa936895d4",
          "size": 11772294
        }
      ]
    }
  },
  {
    "Ref": "quay.io/microcks/microcks-postman-runtime:nightly@sha256:00aa78a192340f3713c1b87dec18b20d0ed046316c4acc612a64ed2c677b1aa3",
    "Descriptor": {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:00aa78a192340f3713c1b87dec18b20d0ed046316c4acc612a64ed2c677b1aa3",
      "size": 839,
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    },
    "Raw": "ewogICJzY2hlbWFWZXJzaW9uIjogMiwKICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubWFuaWZlc3QudjEranNvbiIsCiAgImNvbmZpZyI6IHsKICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5jb25maWcudjEranNvbiIsCiAgICAiZGlnZXN0IjogInNoYTI1NjpkMzQ2NmFhNWRmYzYzMjRiN2E5ZWRlMTg3ZThmM2YxY2VhMTFlNzM3NTc0OTc2NzE4MDQ4MDU5ZGI3ODFiNmQxIiwKICAgICJzaXplIjogMjQxCiAgfSwKICAibGF5ZXJzIjogWwogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLAogICAgICAiZGlnZXN0IjogInNoYTI1NjoyZDRhODIyNTFmYmQyYmFhMzQxZjNjY2MwOGE4MTM0MmEyMTRhOWU4NzYyZjBhOGY5ZTA4YWYzODZmN2FjYTBkIiwKICAgICAgInNpemUiOiA5MDMyNjgsCiAgICAgICJhbm5vdGF0aW9ucyI6IHsKICAgICAgICAiaW4tdG90by5pby9wcmVkaWNhdGUtdHlwZSI6ICJodHRwczovL3NwZHguZGV2L0RvY3VtZW50IgogICAgICB9CiAgICB9LAogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLAogICAgICAiZGlnZXN0IjogInNoYTI1NjoyZmFiMTkxMmM3OTg4MDY2MmI4NDE5NjgwNGZhZDI5ZjMyZGU2MDRhMzg0YzhmMjBmZWI0NWRkZjRiNjliOTk5IiwKICAgICAgInNpemUiOiAxNDEzLAogICAgICAiYW5ub3RhdGlvbnMiOiB7CiAgICAgICAgImluLXRvdG8uaW8vcHJlZGljYXRlLXR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjIiCiAgICAgIH0KICAgIH0KICBdCn0=",
    "OCIManifest": {
      "schemaVersion": 2,
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "digest": "sha256:d3466aa5dfc6324b7a9ede187e8f3f1cea11e737574976718048059db781b6d1",
        "size": 241
      },
      "layers": [
        {
          "mediaType": "application/vnd.in-toto+json",
          "digest": "sha256:2d4a82251fbd2baa341f3ccc08a81342a214a9e8762f0a8f9e08af386f7aca0d",
          "size": 903268,
          "annotations": {
            "in-toto.io/predicate-type": "https://spdx.dev/Document"
          }
        },
        {
          "mediaType": "application/vnd.in-toto+json",
          "digest": "sha256:2fab1912c79880662b84196804fad29f32de604a384c8f20feb45ddf4b69b999",
          "size": 1413,
          "annotations": {
            "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
          }
        }
      ]
    }
  },
  {
    "Ref": "quay.io/microcks/microcks-postman-runtime:nightly@sha256:7138f735e5e314a17dc6e0d8425967cf69644bfb67f0f07b84f4cb2c7188f851",
    "Descriptor": {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:7138f735e5e314a17dc6e0d8425967cf69644bfb67f0f07b84f4cb2c7188f851",
      "size": 839,
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    },
    "Raw": "ewogICJzY2hlbWFWZXJzaW9uIjogMiwKICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UubWFuaWZlc3QudjEranNvbiIsCiAgImNvbmZpZyI6IHsKICAgICJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5jb25maWcudjEranNvbiIsCiAgICAiZGlnZXN0IjogInNoYTI1Njo3YjU1ZWRkMjMzOTQyMDVkMjVlYWZmMDkyZGEyNjZhYjFkYjUyZDcwZTcxNGMxNzkwOWZlZGNjMzcwZjJhZDgzIiwKICAgICJzaXplIjogMjQxCiAgfSwKICAibGF5ZXJzIjogWwogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLAogICAgICAiZGlnZXN0IjogInNoYTI1NjpkM2IxN2NkOTAwYmJlMWFkYjY1YTA0NDcyMjU2NzU5MDM0NjQwNjRiMDBlN2VhNmEzOThkYzMwZjNmNTNmMThjIiwKICAgICAgInNpemUiOiA5MDMyNjgsCiAgICAgICJhbm5vdGF0aW9ucyI6IHsKICAgICAgICAiaW4tdG90by5pby9wcmVkaWNhdGUtdHlwZSI6ICJodHRwczovL3NwZHguZGV2L0RvY3VtZW50IgogICAgICB9CiAgICB9LAogICAgewogICAgICAibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2pzb24iLAogICAgICAiZGlnZXN0IjogInNoYTI1Njo3ZGE2MzIyZjJhMjlmYTNlODhiMjMzNTJmMmYwNWE5N2RiMjE5NWIyOWEyNjcxNGIyNjNkNjI5YmU5MjFmNzcwIiwKICAgICAgInNpemUiOiAxNDEzLAogICAgICAiYW5ub3RhdGlvbnMiOiB7CiAgICAgICAgImluLXRvdG8uaW8vcHJlZGljYXRlLXR5cGUiOiAiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjIiCiAgICAgIH0KICAgIH0KICBdCn0=",
    "OCIManifest": {
      "schemaVersion": 2,
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "digest": "sha256:7b55edd23394205d25eaff092da266ab1db52d70e714c17909fedcc370f2ad83",
        "size": 241
      },
      "layers": [
        {
          "mediaType": "application/vnd.in-toto+json",
          "digest": "sha256:d3b17cd900bbe1adb65a0447225675903464064b00e7ea6a398dc30f3f53f18c",
          "size": 903268,
          "annotations": {
            "in-toto.io/predicate-type": "https://spdx.dev/Document"
          }
        },
        {
          "mediaType": "application/vnd.in-toto+json",
          "digest": "sha256:7da6322f2a29fa3e88b23352f2f05a97db2195b29a26714b263d629be921f770",
          "size": 1413,
          "annotations": {
            "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
          }
        }
      ]
    }
  }
]

and then on the SBOM blob:

$ oras blob fetch --output - quay.io/microcks/microcks-postman-runtime:nightly@sha256:d3b17cd900bbe1adb65a0447225675903464064b00e7ea6a398dc30f3f53f18c | jq .
--- OUTPUT --- 
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://spdx.dev/Document",
  "subject": [
    {
      "name": "pkg:docker/quay.io/microcks/microcks-postman-runtime@nightly?platform=linux%2Farm64",
      "digest": {
        "sha256": "7d1283e2dac151f6231138e83d4cfa61b505149cc9099a948a1342e1812fad6a"
      }
    }
  ],
  "predicate": {
    "spdxVersion": "SPDX-2.3",
    "dataLicense": "CC0-1.0",
    "SPDXID": "SPDXRef-DOCUMENT",
    "name": "sbom",
    "documentNamespace": "https://anchore.com/syft/dir/sbom-3ddfa5e9-11e6-4550-a464-fac21bb4009e",
    "creationInfo": {
      "licenseListVersion": "3.23",
      "creators": [
        "Organization: Anchore, Inc",
        "Tool: syft-v0.105.0",
        "Tool: buildkit-v0.17.2"
      ],
      "created": "2024-12-03T13:20:07Z"
    },
    "packages": [
      {
        "name": "@colors/colors",
        "SPDXID": "SPDXRef-Package-npm--colors-colors-0d3fee5f6cc0bed6",
        "versionInfo": "1.6.0",
        "supplier": "Person: DABH",
        "originator": "Person: DABH",
        "downloadLocation": "http://github.com/DABH/colors.js.git",
        "filesAnalyzed": false,
        "homepage": "https://github.com/DABH/colors.js",
        "sourceInfo": "acquired package info from installed node module manifest file: /app/node_modules/@colors/colors/package.json",
        "licenseConcluded": "NOASSERTION",
        "licenseDeclared": "MIT",
        "copyrightText": "NOASSERTION",
        "description": "get colors in your node.js console",
        "externalRefs": [
          {
            "referenceCategory": "SECURITY",
            "referenceType": "cpe23Type",
            "referenceLocator": "cpe:2.3:a:\\@colors\\/colors:\\@colors\\/colors:1.6.0:*:*:*:*:*:*:*"
          },
          {
            "referenceCategory": "SECURITY",
            "referenceType": "cpe23Type",
            "referenceLocator": "cpe:2.3:a:DABH:\\@colors\\/colors:1.6.0:*:*:*:*:*:*:*"
          },
          {
            "referenceCategory": "PACKAGE-MANAGER",
            "referenceType": "purl",
            "referenceLocator": "pkg:npm/%40colors/[email protected]"
          }
        ]
      },
      [...]
    ]
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lbroudoux lbroudoux

Labels
kind/task
Projects
None yet
Milestone
0.6.1
Development

No branches or pull requests
1 participant
@lbroudoux