Skip to content

Create an SBOM when publishing #3459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dgannon991 wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Create an SBOM when publishing #3459

dgannon991 wants to merge 6 commits into from

Conversation

@dgannon991
Copy link
Member

@dgannon991 dgannon991 commented Sep 22, 2025

What does this change

Adds a flag onto the publish command which will generate an SBOM for the published image.

What issue does it fix

Closes #2930

Notes for the reviewer

This is currently an extreme draft version to get feedback, none of the following have been done :D

Checklist

  • Did you write tests?
  • Did you write documentation?
  • Did you change porter.yaml or a storage document record? Update the corresponding schema file.
  • If this is your first pull request, please add your name to the bottom of our Contributors list. Thank you for making Porter better! 🙇‍♀️

@dgannon991 dgannon991 marked this pull request as ready for review September 29, 2025 21:00
@dgannon991 dgannon991 requested a review from a team as a code owner September 29, 2025 21:00
@dgannon991 dgannon991 force-pushed the feature/2930/create-sbom branch 2 times, most recently from 5750e41 to 5399add Compare September 29, 2025 21:06
@dgannon991 dgannon991 force-pushed the feature/2930/create-sbom branch 5 times, most recently from c3bfc47 to 05ce0ec Compare October 14, 2025 17:52
@dgannon991 dgannon991 force-pushed the feature/2930/create-sbom branch 3 times, most recently from 8d4e903 to 386b7d1 Compare November 16, 2025 14:03
@kichristensen
Copy link
Contributor

kichristensen commented Nov 17, 2025

@dgannon991 Do you have a sample of how the SBOM file will look?

@dgannon991
Copy link
Member Author

dgannon991 commented Nov 17, 2025

@kichristensen - this is the output for the porter-test bundle:

{
    "spdxVersion": "SPDX-2.3",
    "dataLicense": "CC0-1.0",
    "SPDXID": "SPDXRef-DOCUMENT",
    "name": "localhost:5000/porter-hello",
    "documentNamespace": "https://anchore.com/Porter/image/localhost-5000/porter-hello-c33f9e71-51f5-4afa-bab5-26c751faa5b6",
    "creationInfo": {
        "licenseListVersion": "3.27",
        "creators": [
            "Organization: Anchore, Inc",
            "Tool: Porter-"
        ],
        "created": "2025-10-07T20:43:18Z"
    },
    "packages": [
        {
            "name": "localhost:5000/porter-hello",
            "SPDXID": "SPDXRef-DocumentRoot-Image-localhost-5000-porter-hello",
            "versionInfo": "v0.1.0",
            "supplier": "NOASSERTION",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": false,
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "ed53c608e21e4d441eb1697a725065446018d90b3b1c6a47873f8ad12a86f671"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "copyrightText": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:oci/localhost%3A5000%2Fporter-hello@sha256%3Aed53c608e21e4d441eb1697a725065446018d90b3b1c6a47873f8ad12a86f671?arch=&tag=v0.1.0"
                }
            ],
            "primaryPackagePurpose": "CONTAINER"
        }
    ],
    "relationships": [
        {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-localhost-5000-porter-hello",
            "relationshipType": "DESCRIBES"
        }
    ]
}

@dgannon991 dgannon991 force-pushed the feature/2930/create-sbom branch 5 times, most recently from 7e5d355 to 4c3de09 Compare November 23, 2025 22:00
@dgannon991 dgannon991 force-pushed the feature/2930/create-sbom branch from 4c3de09 to 846b4d0 Compare November 23, 2025 22:09
@kichristensen
Copy link
Contributor

kichristensen commented Nov 23, 2025

@dgannon991 Does the SBOM also handled other images part of the bundle, in the images section? If not I think it is fine, but we should create a follow up issue for this feature.

kichristensen
kichristensen reviewed Nov 23, 2025
View reviewed changes
Copy link
Contributor

@kichristensen kichristensen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How big an impact does this feature have on the size the porter binary? A lot of new dependencies have been pulled in.

pkg/porter/publish.go
"path/filepath"
"strings"

_ "modernc.org/sqlite" // required for rpmdb and other features
Copy link
Contributor

@kichristensen kichristensen Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be moved into sbom.go instead? The module has an init function which will be triggered on import

pkg/porter/sbom.go
return log.Errorf("failed to create SBOM file %s: %w", sbomPath, err)
}
defer func() {
err = errors.Join(err, f.Close())
Copy link
Contributor

@kichristensen kichristensen Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want this error to be returned from the function? If so have you tested that, I don't think this is the error that will be returned. I'm pretty sure the deferred function is ran after the return value have been created, meaning this isn't the error that will be returned. Not a 100% sure

kichristensen
kichristensen reviewed Nov 23, 2025
View reviewed changes
docs/content/docs/references/cli/publish.md
--preserve-tags Preserve the original tag name on referenced images
-r, --reference string Use a bundle in an OCI registry specified by the given reference.
--registry string Override the registry portion of the bundle reference, e.g. docker.io, myregistry.com/myorg
--sbom-file string Generate a Software Bill of Materials (SBOM) for the bundle at this location.
Copy link
Contributor

@kichristensen kichristensen Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we mention the SBOM file format here?

@kichristensen
Copy link
Contributor

kichristensen commented Nov 23, 2025

We should also add some documentation around this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kichristensen kichristensen kichristensen left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(feat): Generate SBOM for invocation image + bundle

2 participants

@dgannon991 @kichristensen