-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[W.I.P] Proposal: Pluggable SBOM Generation #197
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Thanks for feedbacks, @itaysk! We updated the proposal to make more generic SBOM generation plugin system. Eventually, other friends can easily implement their own SBOM generation methods. |
I support having an SBOM. What about displaying the SBOM content in Harbor? Would that not also make sense? |
We definitely should! Currently this proposal lack of some details and it's not deeply-technical as Pluggable Image Vulnerability Scanning proposal. So let me mark this as W.I.P. Since we dont know much about Harbor’s overall domain and internals, looking forward to any contribution from the community! |
|
||
## Proposal | ||
|
||
Create a generic SBOM generation plugin system in Harbor for Software Bill of Materials (SBOM) from container images and filesystems. Since Cosign already supported by Harbor, we can store signatures in an OCI registry next to the container image, and can be located via a simple name scheme. The Cosign spec allows SBOM information to be embedded into the cosign artifact. [^2] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what does it mean "generic plugin system" but have you considered defining MimeType and report format and reuse Pluggable Scanners API? We've been discussing SBOB and licence scanners in the context of pluggable scanners from the get go and it should be easy to leverage it. See also existing issue that was created in the past to do exactly what you requested goharbor/pluggable-scanner-spec#10 /cc @steven-zou
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For security scanning, we should follow the Pluggable Scanners API.
As Harbor has introduced accessories for OCI artifacts, an improvement I can see now is to enhance Harbor to support storing any scanning results as an accessory of OCI artifacts. cc @wy65701436
@Dentrax @danielpacak do we have anything new on this one ? |
Sorry for the long delay; we dropped the ball here. I couldn't find much free time to get into it, but we should do some fixes/changes according to reviews. Feel free to commit this branch! /cc @developer-guy |
Would love to see SBOM list in Harbor, @Dentrax Can you address the questions from the community? |
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Hey! Thanks for reminding, almost forgot this one! I just addressed the reviews. Since I'm not so familiar with Harbor internals, I'm not so sure what I can include on this doc additionally. Feel free to take over/carry/contribute this one if you want to include some low-level system/arch designs, way of impl, or the spec. Currently, it's like a very high-level of "why we should add SBOM support in Harbor" rather than "how" - that's the best thing I can do as an end-user for now, unfortunately. @hectorj2f Thanks for reviews!
@Vad1mo Cool idea! I added this idea on the doc. But couldn't go into details much, It'd be nice to show vulnerability detail on the UI about each dep, if possible. |
Fixes goharbor/harbor#16397
Signed-off-by: Furkan furkan.turkal@trendyol.com
Co-authored-by: Batuhan batuhan.apaydin@trendyol.com
cc @hectorj2f @luhring @wagoodman @developer-guy