Pipeline improvements to support Stargate
We need to make some adjustments to our artifacts so that they can be better consumed by our customers. These changes include the following updates to the tarball that can be downloaded from the Iron Bank:
-
Adding the justification column to the CSVs - #189 (closed) Before deprecating the XLSX file, the justifier must operate on CSVs instead of XLSX files
-
Create a new detached signature of the entire tarball. This file will be uploaded to S3 beside the tarball. -
Add a sha256 docker reference (e.g. registry1.dso.mil/ironbank/redhat/ubi/ubi8@sha256:a5e5632ee49c9b9a7ff9be8ae4b0cd1ed0f2e568826e99eea67cf198e5e7eff8
to animage
field in thedocumentation.json
file. -
The root directory of the tarball is reports
. Consider something likeubi8-8.3-reports
. This is not high priority. -
#152 (closed) Produce documentation for this BOE - Keep the XLSX file and any deprecated files as-is for now, because they may be is currently in use and any downstream customers may depend on them. Users that don't want xlsx files may delete it themselves for now.
Proposed BOE/schema/api example
- Adding new files to the archive are NOT considered breaking changes. Removing files IS a breaking change
- Deprecated files in the archive may be removed in the future.
- Adding columns to CSV files are NOT considered breaking changes. Removing columns from CSV files IS a breaking change.
- Adding new fields to
documentation.json
is NOT considered a breaking change. - The root directory of the archive,
reports
, may be renamed in the future. All files in the archive will still be in one root directory. - The contents of the
anchore
,openscap
andtwistlock
are the output of the respective tools. The filenames inside these directories are reasonably stable, but the contents of these files are unspecified and are included as-is from the tools. - The files
oscap.csv
,oval.csv
and theopenscap/
directory are omitted if scanning is not performed with OpenSCAP. Scratch and other non-UBI images are not scanned with OpenSCAP.
Cryptographic signature/chain of trust/validation
-
ubi8-8.3-reports-signature.sig
→ Signature of report tarball -
ubi8-8.3-reports-signature.tar.gz
- Scan results and justifications
-
documentation.json
"image": "registry1.dso.mil/ironbank/redhat/ubi/ubi8@sha256:a5e5632ee49c9b9a7ff9be8ae4b0cd1ed0f2e568826e99eea67cf198e5e7eff8"
- Docker manifest's sha256 matches the image digest sha256
- Multiple layers listed in manifest JSON with sha256 hashes
- Each docker layer tar matches their sha256 Docker manifest JSON entry
ubi8-8.3-reports-signature.sig (outside the archive, detached signature)
PGP signature of reports archive (Maybe an x509 signature if we get an appropriate key to use instead)
ubi8-8.3-reports-signature.tar.gz
reports (name may change in the future)
├── LICENSE
├── README.md
├── anchore
│ ├── anchore-version.txt
│ ├── anchore_api_gates_full.json
│ ├── anchore_gates.json
│ └── anchore_security.json
├── csvs
│ ├── all_scans.xlsx (deprecated)
│ ├── anchore_gates.csv
│ ├── anchore_security.csv
│ ├── oscap.csv
│ ├── oval.csv
│ ├── summary.csv
│ ├── tl.csv
│ └── ubi8:8.3-120979-justifications.xlsx (deprecated)
├── documentation.json
├── manifest.json (deprecated)
├── openscap
│ ├── oscap-version.txt
│ ├── report-cve.html
│ ├── report-cve.xml
│ └── report.html
├── signature.sig (deprecated)
├── twistlock
│ ├── twistlock-version.txt
│ └── twistlock_cve.json
├── ubi8-120979.sig (deprecated)
├── ubi8-120979.tar (deprecated)
└── ubi8-8.3.tar (deprecated)
documentation.json
TODO: jsonschema
{
"image": "registry1.dso.mil/ironbank/redhat/ubi/ubi8@sha256:a5e5632ee49c9b9a7ff9be8ae4b0cd1ed0f2e568826e99eea67cf198e5e7eff8",
"timestamp": "2021-01-06T18:34:29.097Z",
"git": {
"hash": "47d385a451a6711f09a720b74955284188becc9c",
"branch": "master"
},
"tools": {
"anchore": {
"version": "2.4.1"
},
"twistlock": {
"version": "2.4.1"
},
"openSCAP": {
"version": "0.1.53"
}
}
}
anchore_gates.csv header
image_id,repo_tag,trigger_id,gate,trigger,check_output,gate_action,policy_id,matched_rule_id,whitelist_id,whitelist_name,inherited,Justification
anchore_security.csv header
tag,cve,severity,package,package_path,fix,url,inherited,Justification
oscap.csv header
title,ruleid,result,severity,identifiers,refs,desc,rationale,scanned_date,Justification
oval.csv header
id,result,cls,ref,title
summary.csv header
Scan,Automated Findings,Manual Checks,Total
tl.csv header
id,cvss,desc,link,packageName,packageVersion,severity,status,vecStr,Justification
Edited by James Petersen