Automate SBOM generation for container images

[jayavenkatesh19]

Towards https://github.com/rapidsai/build-infra/issues/280

Adds SBOM to base and notebook images

• Add a new stage in each Dockerfile called syft-base with the Syft binary installed on a minimal alpine 3.20 image.
• The main docker build is done using a stage called base-build and notebooks-build to differentiate it from the final image.
• Another stage is added called base-sbom/ notebooks-sbom where the built stage is mounted to a specified location on the syft-base stage
• A syft-scan is done on the mounted location, and an SBOM is generated.
• The generated SBOM is then copied to the final stage, with image name and tags kept unchanged to ensure no changes to how these images are built and published.

[jameslamb]

Thanks for getting this started! Doing it in a multi-stage build is a really cool idea, nice way to make it work with the third-party actions we use to build and publish images (no need to manually invoke docker build ourselves).

I see it's been a few weeks since the last activity here... do you need help with anything? Or is this effort just paused right now?

[jayavenkatesh19]

Hey @jameslamb!

This effort has been on pause as I was focusing on creating the notebook for my talk for PyData Boston. I also have PRs open on ci-imgs and devcontainers up for a while. It'd be great if you could glance over them and leave your review for these!

I've also looked at the SBOMs generated and there's a lot of fields pertaining to individual files in the Docker images. I am not sure if we need to include every file in the image or if a list of libraries included with the image would do. The current syft scan command does a scope of all the layers in the image and includes any artifact found in the image. However, any configurational changes would be trivial to add (would just involve updating some flags in the syft scan command)

[jameslamb]

Ok thanks for the update, sorry for the very long delayed response!

Doing this in a multi-stage docker build is a nice approach, I support it.

I am not sure if we need to include every file in the image or if a list of libraries included with the image would do

The more we can include and confidently attribute to a source + a set of licenses, the better. Will just have to see how scanning tools handle the SBOMs we're generating.

[jameslamb]

Left a few suggestions, things I noticed after reviewing similar changes in rapidsai/ci-imgs#309

[jameslamb]

Similar to rapidsai/ci-imgs#309 (comment), I think this should be moved to a mounted-in script so we only have to set the syft configuration in 1 place.

[jameslamb]

Similar to rapidsai/ci-imgs#309 (comment), could you please move the syft version and Alpine tag into versions.yaml?

To be fair, there wasn't a versions.yaml when you started this PR, it was only very recently added: #834