Generate SPDX SBOM at release time (#538)

* Add bom generation script This commit adds a script in scripts/sbom.sh that generates the SBOM for the release adding three kinds of elements to it: 1. The source code with full dependencies 2. The tarball distrubutions written in _dist 3. The container image The SBOM is written into the _dist directory. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]> * Generate SBOM from build workflow This commit modifies the build pipeline to generate an SPDX SBOM describing the release. It uses the new bom-installer action to install the Kubernetes SBOM Tool into the runner and calls the scripts/sbom.sh script which handles the generation. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]> * Modify release pipeline to properly include SBOM Signed-off-by: Josh Dolitsky <[email protected]> Co-authored-by: Josh Dolitsky <[email protected]>
helm · Jan 30, 2022 · 77d6cea · 77d6cea
1 parent 0bb68d9
commit 77d6cea
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 18 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -47,18 +47,6 @@ jobs:
           echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \
             --build-arg revision=$(git rev-parse --short HEAD) \
             ${TAGS} .
-      - name: Install sigstore cosign
-        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
-        with:
-          cosign-release: 'v1.5.0'
-      - name: Release artifacts
-        id: release-artifacts
-        env:
-          AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
-          AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
         with:
@@ -82,14 +70,33 @@ jobs:
       - name: Docker Buildx (push)
         run: |
           docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
-      - name: Sign the published Docker images (via GitHub OIDC token)
+      - name: Docker Check Manifest
+        run: |
+          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
+      - name: Install Kubernetes SBOM Tool
+        uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4
+      - name: Install sigstore cosign
+        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+        with:
+          cosign-release: 'v1.5.0'
+      - name: Release artifacts (includes SBOM and signatures)
+        id: release-artifacts
+        env:
+          AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
+          AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+          VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
+      - name: Sign the published images (via GitHub OIDC token)
         env:
           COSIGN_EXPERIMENTAL: "true"
         run: |
           cosign sign ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
-      - name: Docker Check Manifest
+      - name: Attach SBOM to published images
+        env:
+          COSIGN_EXPERIMENTAL: "true"
         run: |
-          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
+          cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
       - name: Clear
         if: always()
         run: |

diff --git a/Makefile b/Makefile
@@ -174,14 +174,18 @@ fetch-dist:
 #   shasum -a 256 -c chartmuseum-v0.13.1-darwin-amd64.tar.gz.sha256sum
 .PHONY: checksum
 checksum:
-	for f in $$(ls _dist/*.{gz,zip} 2>/dev/null) ; do \
+	for f in $$(ls _dist/*.{gz,spdx,zip} 2>/dev/null) ; do \
 		echo "Creating $${f}.sha256sum" ; \
 		shasum -a 256 "$${f}" | sed 's/_dist\///' > "$${f}.sha256sum" ; \
 	done
 
+.PHONY: sbom
+sbom:
+	@./scripts/sbom.sh
+
 .PHONY: cosign
 cosign:
-	for f in $$(ls _dist/*.{gz,zip,sha256sum} 2>/dev/null) ; do \
+	for f in $$(ls _dist/*.{gz,zip,sha256sum,spdx} 2>/dev/null) ; do \
 		echo "Creating $${f}.sig" ; \
 		cosign sign-blob --output-file "$${f}.sig" "$${f}"; \
 	done

diff --git a/scripts/release-artifacts.sh b/scripts/release-artifacts.sh
@@ -28,7 +28,7 @@ sudo apt install azure-cli
 
 echo "Building chartmuseum binaries"
 make build-cross
-make dist checksum cosign VERSION="${VERSION}"
+make dist sbom checksum cosign VERSION="${VERSION}"
 
 echo "Pushing binaries to Azure"
 az storage blob upload-batch -s _dist/ -d "$AZURE_STORAGE_CONTAINER_NAME" --pattern 'chartmuseum-*' --connection-string "$AZURE_STORAGE_CONNECTION_STRING"
diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh
@@ -89,6 +89,8 @@ Download ChartMuseum ${RELEASE}. The common platform binaries are here:
 - [Linux s390x](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum | awk '{print $1}'))
 - [Windows amd64](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum | awk '{print $1}'))
 
+You can download the SBOM for this release in SPDX format [here](https://get.helm.sh/chartmuseum-${RELEASE}.spdx).
+
 You can use a [script to install](https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum) on any system with \`bash\`.
 
 ## What's Next

diff --git a/scripts/sbom.sh b/scripts/sbom.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+: ${VERSION:?"VERSION environment variable is not set"}
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $DIR/../
+mkdir -p ./_dist/
+pushd ./_dist/
+
+# Initialize the configuration file
+cat << EOF > .sbom.yaml
+---
+namespace: https://get.helm.sh/chartmuseum-${RELEASE}.spdx
+license: Apache-2.0
+name: ChartMuseum
+artifacts:
+  - type: directory
+    source: ..
+EOF
+
+for file in $(ls *.{gz,zip}); 
+    do echo "Adding ${file} to SBOM"
+    echo "  - type: file"  >> .sbom.yaml
+    echo "    source: ${file}" >> .sbom.yaml
+done
+
+echo "Adding image ghcr.io/helm/chartmuseum:${VERSION}"
+echo "  - type: image" >> .sbom.yaml
+echo "    source: ghcr.io/helm/chartmuseum:${VERSION}" >> .sbom.yaml
+
+echo "Wrote configuration file:"
+cat .sbom.yaml
+
+bom generate -c .sbom.yaml -o chartmuseum-${VERSION}.spdx
+
+rm .sbom.yaml
+popd
+echo "SBOM written to _dist/chartmuseum-${VERSION}.spdx"