feat(SBOM): implement new storage model#93
Conversation
reyreavman
force-pushed
the
feat/sbom/implementation-new-storage-version
branch
7 times, most recently
from
da043f9 to
ca6aef9
Compare
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
reyreavman
force-pushed
the
feat/sbom/implementation-new-storage-version
branch
from
ca6aef9 to
5a362fc
Compare
| func (s *OCIStore) remoteOptions(ctx context.Context) []remote.Option { | ||
| return []remote.Option{ | ||
| remote.WithContext(ctx), | ||
| remote.WithAuthFromKeychain(authn.DefaultKeychain), |
There was a problem hiding this comment.
Let's use Container Registry auth from werf.
There was a problem hiding this comment.
delivery-kit/pkg/docker_registry/api.go
Line 647 in 5a362fc
| "bytes" | ||
| "context" | ||
| "fmt" | ||
| "io" |
There was a problem hiding this comment.
| return Attach(ctx, s.repo, parentDigest, artifactDesc, artifactType, s.imageName) | ||
| } | ||
|
|
||
| func (s *OCIStore) GetAttached(ctx context.Context, parentDigest, artifactType string) (v1.Descriptor, bool, error) { |
There was a problem hiding this comment.
Let's document: two equal image digests -> one (same) SBOM
|
|
||
| if err = step.containerBackend.Tag(ctx, sbomImgId, sbomImageName, container_backend.TagOpts{}); err != nil { | ||
| return fmt.Errorf("unable to tag sbom image: %w", err) | ||
| digestHex := strings.TrimPrefix(parentDigest, "sha256:") |
There was a problem hiding this comment.
Let's use move robust approach (hash alg could change in future) or a library for digest parsing.
For example: https://pkg.go.dev/github.com/opencontainers/go-digest#Digest.Encoded
| }); err != nil { | ||
| return nil, fmt.Errorf("unable to pull image SBOM: %w", err) | ||
| store := step.artifactStore | ||
| if store == nil { |
There was a problem hiding this comment.
Why do we create store here? I think we have to require store here and we should return the error if store is nil.
I mean no need lazy store initialization
| func RemoteOptions(ctx context.Context) []remote.Option { | ||
| return []remote.Option{ | ||
| remote.WithContext(ctx), | ||
| remote.WithAuthFromKeychain(authn.DefaultKeychain), |
There was a problem hiding this comment.
The same here question with using credentials
|
|
||
| // WrapInInTotoStatement wraps the predicate into an in-toto v1 statement. | ||
| func WrapInInTotoStatement(predicate []byte, predicateType, repo, digestHex string) ([]byte, error) { | ||
| stmt := inTotoStatement{ |
There was a problem hiding this comment.
Could we use specific Go pkg https://github.com/in-toto/in-toto-golang ?
| "fmt" | ||
| ) | ||
|
|
||
| type dsseEnvelope struct { |
There was a problem hiding this comment.
Could we use specific lib for dsse ? For example https://pkg.go.dev/github.com/secure-systems-lab/go-securesystemslib/dsse#Envelope
| func BaseImageName(repo, tag string) string { | ||
| return ImageName(fmt.Sprintf("%s:%s", repo, tag)) | ||
| func PushSBOM(ctx context.Context, bomJSON []byte, repo, parentDigest, imageName, checksum string) error { | ||
| digestHex := strings.TrimPrefix(parentDigest, "sha256:") |
There was a problem hiding this comment.
The same question with parsing digests
|
|
||
| parentTag := strings.TrimSuffix(tag, sbomImage.TagSuffix) | ||
| if _, exists := tagSet[parentTag]; exists { | ||
| parentDigest := strings.Replace(tag, artifact.FallbackTagPrefix, "sha256:", 1) |
There was a problem hiding this comment.
The same question with parsing digests
reyreavman
force-pushed
the
feat/sbom/implementation-new-storage-version
branch
2 times, most recently
from
f157558 to
e4978e9
Compare
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
reyreavman
force-pushed
the
feat/sbom/implementation-new-storage-version
branch
from
e4978e9 to
369e7df
Compare
2 participants
No description provided.