| Team Lead | Members | | --- | --- | | Joe Foster |   | [P1BIGROCKS-2786](https://jira.il2.dso.mil/browse/P1BIGROCKS-2786) Per [This Executive Order](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/), software should be releasing Software Bill of Materials (SBOMs) as part of their release process. This epic is part of an increase/standardization of OCI artifacts (&121) that should be provided as part of BigBang. ## Acceptance Criteria The Acceptance Criteria for this epic is to create a CLI tool that is capable of producing a *full* SBOM for a Helm Chart in CycloneDX format (based on BBTOC desires) ## The Bill of Materials The Bill of Materials for BigBang should consist of the union of: * The Helm Charts needed for BigBang * The Images needed for BigBang * The SBOM's for each Image ## Helm Chart Discovery With the way Big Bang is designed there are two ways that a chart could be referenced for it to be included in the SBOM for a parent chart. 1) An explicit chart Dependency (e.g. the gluon chart) 2) Deployed via HelmRelease (e.g. from Umbrella) When a Chart is dependency, the CycloneDX SBOM should properly provide the hierarchy via the Dependency Graph feature in CycloneDX https://cyclonedx.org/use-cases/#dependency-graph. For example in BigBang this would be a small piece of the dependency ``` ├── istio-controlplane <--- Helm Chart │ ├── bigbang/gluon <--- Helm Chart │ └── registry1.dso.mil/ironbank/cypress:6.0 <--- image used in Gluon chart │ └── registry1.dso.mil/ironbank/opensource/istio/proxyv2:1.13.2 <-- IronBank image used in istio-controlplane Helm Chart │ ├── some-istio-package.dep <--- package in proxv2 IronBank image │ └── some-other-package-from-base-image ... ``` ## Images needed for BigBang Based on https://github.com/helm/community/blob/main/hips/hip-0015.md#specification we can include the finite list of images needed for a chart in the annotations field of the Helm Chart. This tool should discover those images needed for a chart from this list. When a chart has a dependency, the top level `Chart.yaml` should include the full list for the chart and its dependencies, not just the images that are needed in the Parent chart. ## SBOMs for each image To create the SBOM for each image in the chart, the tool should first look to pull those SBOMs from IronBank (or from the appropriate registry) using https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md Recent improvements to IronBank have provided SBOMs (and signatures) for each IronBank image compliant to the SBOM spec as shown here: ```bash $ crane ls registry1.dso.mil/ironbank/redhat/ubi/ubi8 8.2 8.3 8.4 8.4-fips 8.5 8.5-fips latest latest-fips sha256-0307b0e37c00336cd69e6c2335da702cebbe738dce636ebb2f2c95dbee221e95.sig sha256-07c6b825270b766afa66e18eb21918af8482bac28ca3c7d77770d132a0a1d21c.sbom sha256-07c6b825270b766afa66e18eb21918af8482bac28ca3c7d77770d132a0a1d21c.sig sha256-0bda00c1bcc4349a563bdfeb9ba50b8adf43f145892b39e01fdbd46dd37c24f1.sbom sha256-0bda00c1bcc4349a563bdfeb9ba50b8adf43f145892b39e01fdbd46dd37c24f1.sig sha256-1116d7579d827b495a1aabd4bcc1ee4b63377279ac18202cc225a0f106c92d8d.sbom sha256-1116d7579d827b495a1aabd4bcc1ee4b63377279ac18202cc225a0f106c92d8d.sig sha256-12eb54f464741a95480c46aa65a5b38ed9c9146f8a8a9bc976e6ef349b984b35.sbom sha256-12eb54f464741a95480c46aa65a5b38ed9c9146f8a8a9bc976e6ef349b984b35.sig sha256-14a456d45839480bcfc2211414d09a0082a5bccc3392df1b7250ab798b73684c.sig sha256-15524f4e7c46ad3555bc5f3b94a1097f42a488742658bb34bdf7efbcea501a16.sbom sha256-15524f4e7c46ad3555bc5f3b94a1097f42a488742658bb34bdf7efbcea501a16.sig sha256-1685c314065424c274438d54e09900c5be5e54d042167d203dfa8dfe5f9fa707.sbom sha256-1685c314065424c274438d54e09900c5be5e54d042167d203dfa8dfe5f9fa707.sig sha256-2425ca7022334067c81753ad48152cf62d7fe6ec176eecb28e78d4ea70b9d83c.sbom sha256-2425ca7022334067c81753ad48152cf62d7fe6ec176eecb28e78d4ea70b9d83c.sig sha256-26515368b5661c6dad4846e047f9e08deb8a5a1baf9ca82718941754e92d75e2.sbom sha256-26515368b5661c6dad4846e047f9e08deb8a5a1baf9ca82718941754e92d75e2.sig sha256-32f4b0d478add23674c5664bd71aed4eb4230e702fb61c540d635f6b6116dc7d.sbom sha256-32f4b0d478add23674c5664bd71aed4eb4230e702fb61c540d635f6b6116dc7d.sig sha256-336b7aa079d605cbc7659906c1915a2e7c58843340df8919091f1f359ad9779d.sbom sha256-336b7aa079d605cbc7659906c1915a2e7c58843340df8919091f1f359ad9779d.sig sha256-33711f35e96819bc7b4e63d78aaa6665b0ffae774ce040e6a238a2d587354acc.sbom sha256-33711f35e96819bc7b4e63d78aaa6665b0ffae774ce040e6a238a2d587354acc.sig sha256-346611b37d6323ce694dc3927b9ae527bccfc876aa8a66ea0faa343ac34db2c0.sbom sha256-346611b37d6323ce694dc3927b9ae527bccfc876aa8a66ea0faa343ac34db2c0.sig sha256-37bcbc92e07cd2fe505722e42af21cefe0b45c5ffbc8e294377f94251411d798.sbom sha256-37bcbc92e07cd2fe505722e42af21cefe0b45c5ffbc8e294377f94251411d798.sig sha256-39a2448b146405aff6cb70fe80b858f8aaa4047a736078756f683e4bb5e7524a.sbom sha256-39a2448b146405aff6cb70fe80b858f8aaa4047a736078756f683e4bb5e7524a.sig sha256-39e6e2f8790f578195bbe03d83b197fac097d91787c46ce2479b6c0dd4f92baf.sig sha256-3ed778bba93e951fe79367195eda6165f36eaa57fdaaba48b00d205046457e24.sbom sha256-3ed778bba93e951fe79367195eda6165f36eaa57fdaaba48b00d205046457e24.sig sha256-4627782964c1a6ae12f85b47e4002d2f7eb43afec7676b7018ec93cfaf62a51b.sbom sha256-4627782964c1a6ae12f85b47e4002d2f7eb43afec7676b7018ec93cfaf62a51b.sig sha256-49e9668e723a1c065cab3fbb1cda33b1f928ee3824aa19dde49138d6079289b9.sbom sha256-49e9668e723a1c065cab3fbb1cda33b1f928ee3824aa19dde49138d6079289b9.sig sha256-50d04af9877cd2448694a08e7542897e01893658e17dac03c2353ac969cd8dde.sbom sha256-50d04af9877cd2448694a08e7542897e01893658e17dac03c2353ac969cd8dde.sig sha256-541ace2346c9c8bd5b02d9c722ba90426787f08d6628713455abac0a15eaee41.sbom sha256-541ace2346c9c8bd5b02d9c722ba90426787f08d6628713455abac0a15eaee41.sig sha256-5aa393659c8641b30966e481157d5b4e8197f17de6026efda32c9fd1e219acf3.sbom sha256-5aa393659c8641b30966e481157d5b4e8197f17de6026efda32c9fd1e219acf3.sig sha256-61ba6fc2657bd45f0da27bab62816ad669ed5037238c25a66900c470953bd864.sbom sha256-61ba6fc2657bd45f0da27bab62816ad669ed5037238c25a66900c470953bd864.sig sha256-6504df5c12385e1f0f192c1979cb885fe62120f2ad97c7f464a15ef1a6070b72.sbom sha256-6504df5c12385e1f0f192c1979cb885fe62120f2ad97c7f464a15ef1a6070b72.sig sha256-6a2134e06c34bf8b18589d36c4e853eb90af15d13b561a5f3396326afd55562c.sbom sha256-6a2134e06c34bf8b18589d36c4e853eb90af15d13b561a5f3396326afd55562c.sig sha256-7170fde3eedb509a9aa26f8e001a2a78c16dd6ac39b9af0dea017a6694de149c.sbom sha256-7170fde3eedb509a9aa26f8e001a2a78c16dd6ac39b9af0dea017a6694de149c.sig sha256-738cac621667e6b21c5250f7cee22a9de881ade32fd770802bfc44e12028d47f.sbom sha256-738cac621667e6b21c5250f7cee22a9de881ade32fd770802bfc44e12028d47f.sig sha256-77517c8b90951e1041cc46116e9dcab6d37c5bdb9df31dd62ae770e6e0d595ad.sbom sha256-77517c8b90951e1041cc46116e9dcab6d37c5bdb9df31dd62ae770e6e0d595ad.sig sha256-7e3c1abb66c9edc64ffd250655869de18daa7a3214ecf01dae4c82c435469f81.sbom sha256-7e3c1abb66c9edc64ffd250655869de18daa7a3214ecf01dae4c82c435469f81.sig sha256-7f52b2c59ff85a99f192b1528d126cb0bfa6790470accd5d098508575838bd91.sig sha256-817fe76fc76334723900be44212484de02379c4b7869b7627f2faa2e976787eb.sbom sha256-817fe76fc76334723900be44212484de02379c4b7869b7627f2faa2e976787eb.sig sha256-82079b12bdcb9ab4fe1071b1feb01796615a2e3a2c11a60873f50d8cf3a07ff6.sbom sha256-82079b12bdcb9ab4fe1071b1feb01796615a2e3a2c11a60873f50d8cf3a07ff6.sig sha256-850d1135d26dbedaea4ddc945104cb7a5ef4a09dc42b7f2b1d9731794e75ea87.sbom sha256-850d1135d26dbedaea4ddc945104cb7a5ef4a09dc42b7f2b1d9731794e75ea87.sig sha256-86228cc5d0ad286986b1b4aa4752b473839bcd1f69a46fa9eb3305f41fac9a64.sig sha256-89fadea1a13c21b7a47e7fb75761bc99a5dad77b7d6cd1a758c4d9715542f5ea.sbom sha256-89fadea1a13c21b7a47e7fb75761bc99a5dad77b7d6cd1a758c4d9715542f5ea.sig sha256-8a3da88b7f0cbf61e02f1f63f9c2557eec028fc9cfd732aae5e638c38a5823e7.sbom sha256-8a3da88b7f0cbf61e02f1f63f9c2557eec028fc9cfd732aae5e638c38a5823e7.sig sha256-8aab033823bc7b4dfb123e69fd991a83d492b4d38ec0aebf62285c5f90691ed7.sbom sha256-8aab033823bc7b4dfb123e69fd991a83d492b4d38ec0aebf62285c5f90691ed7.sig sha256-8fcc2e4fbb4c418284528763e5187824ae23e4a43f94a7a1aceef9fd4369cf99.sbom sha256-8fcc2e4fbb4c418284528763e5187824ae23e4a43f94a7a1aceef9fd4369cf99.sig sha256-9b3343478b0842cd871f5b7b75bd8084ee59824b23bb726497f1dc945f516c9c.sig sha256-9d4151f775f2dcdd04fc444432781fc98f9036b8f70932bbd63277c6146b8c82.sbom sha256-9d4151f775f2dcdd04fc444432781fc98f9036b8f70932bbd63277c6146b8c82.sig sha256-a73163c8e0a871cf6d078c81ad90ecf84b55023b71a85386fd7af1d9e0a995a1.sbom sha256-a73163c8e0a871cf6d078c81ad90ecf84b55023b71a85386fd7af1d9e0a995a1.sig sha256-abce364b8c56470179605b7e33dcfc778e36529da5fd3bbe37b106d69cc65a6a.sbom sha256-abce364b8c56470179605b7e33dcfc778e36529da5fd3bbe37b106d69cc65a6a.sig sha256-ad17630297a0ce797b50c7853fb09756d8c9ed6ecfff90a5d548a39a56e168e5.sbom sha256-ad17630297a0ce797b50c7853fb09756d8c9ed6ecfff90a5d548a39a56e168e5.sig sha256-b1245e8c999a312dbf5ff3dd26049cf622110bc07cbf9087d7ce12218ed031bc.sbom sha256-b1245e8c999a312dbf5ff3dd26049cf622110bc07cbf9087d7ce12218ed031bc.sig sha256-b57194638fa41a8b22120f950d69306f6312b23bc0022534999b7d8d2406746f.sbom sha256-b57194638fa41a8b22120f950d69306f6312b23bc0022534999b7d8d2406746f.sig sha256-bd9a2cf906fe6635e0dd6887869c67d23df401ba074080920b1d2d9523a8549b.sbom sha256-bd9a2cf906fe6635e0dd6887869c67d23df401ba074080920b1d2d9523a8549b.sig sha256-c2a9a932e5ec70d2dd00ef4fc50d59fa973e6ff92326d04bff170002c071dd32.sig sha256-cc7668abea6c98e5ec7f5c40cfbf7e16a1d7f4c23d844209cf014e2c5f197cbf.sbom sha256-cc7668abea6c98e5ec7f5c40cfbf7e16a1d7f4c23d844209cf014e2c5f197cbf.sig sha256-d3ec6a9ebc8522eb4a69b3e374f56c7a9cd95d2c406746144cac3b03e0ea19b7.sbom sha256-d3ec6a9ebc8522eb4a69b3e374f56c7a9cd95d2c406746144cac3b03e0ea19b7.sig sha256-d67a50b20efa882e8fbec54ef2003cce642434c854f049cecca81ec6e31504d8.sbom sha256-d67a50b20efa882e8fbec54ef2003cce642434c854f049cecca81ec6e31504d8.sig sha256-d708b4cd22b5561773c673a8a85882680cfd1bf485d996e72e1e0bba4fbaf09c.sig sha256-e04b8b0b921ad4133fedfa067d76414e9ca590e73bdb871ce69ba9c5f6216a3c.sbom sha256-e04b8b0b921ad4133fedfa067d76414e9ca590e73bdb871ce69ba9c5f6216a3c.sig sha256-e46343cf5205740eb5c158edd0f6de8e7c3a493097925cf4a2bb53dfb917e5da.sbom sha256-e46343cf5205740eb5c158edd0f6de8e7c3a493097925cf4a2bb53dfb917e5da.sig sha256-e46586f3733df2586b9f5483dca4381416df2c063de60b73ead7345f5df2a3d9.sbom sha256-e46586f3733df2586b9f5483dca4381416df2c063de60b73ead7345f5df2a3d9.sig sha256-ebd927253ae7c4334b057bfe13d379341322149514a74718597da4ef31c4904a.sbom sha256-ebd927253ae7c4334b057bfe13d379341322149514a74718597da4ef31c4904a.sig sha256-ef4b5a9a88010227436bde592dff5248dc6c82680187f76831edee81d1dc7d76.sbom sha256-ef4b5a9a88010227436bde592dff5248dc6c82680187f76831edee81d1dc7d76.sig sha256-f32a6a2b18b3ae639abc3d1967b52b8bf3551bfc35b7e34c37e1912908d181ae.sbom sha256-f32a6a2b18b3ae639abc3d1967b52b8bf3551bfc35b7e34c37e1912908d181ae.sig sha256-fe44ff9ea41e3f1f9c029ee43e29e594396f75f636b6787f94e290e21530f3cb.sbom sha256-fe44ff9ea41e3f1f9c029ee43e29e594396f75f636b6787f94e290e21530f3cb.sig ``` Currently only images with passing `master` branches produce an SBOM. Since not all images inside a chart will be from IronBank (since this will be a generic tool) and not all images from Ironbank will have an SBOM (while `master` branch builds fail to pass), we should use https://github.com/anchore/syft to generate an SBOM from the image when one is not available.