Way to document the stream or cpe that an image belongs to?

[ralphbean]

I want to be able to inspect an OCI artifact, and then cross-reference it with vulnerability metadata to understand if the artifact has any published statements about its vulnerability or affected-ness.

I think I need two things in order to do this:

1. Some identifier that associates the image with a stream of updates. For other kinds of content, I think this is typically mitre's CPE id.
2. Some identifier that indicates what increment the artifact is in that stream of updates. For this, org.opencontainers.image.version looks like the best bet to me.

Note - I can't just use the registry and repository for the stream identifier.

First, I want to be able to operate on images after they've left their registry or repository of origin, and still successfully cross-reference them with vulnerability statements.

Second, It's possible for a vendor to provide multiple "streams" in the same repository by updating two different floating tags, for example if they have an older version of their software for which they publish updates to a v1 tag and a newer version of their software for which they publish updates to a v2 tag, all in the same repository. v1 may be affected while v2 is not. When inspecting an image, I need to know which stream it belongs to in order to figure out whether published vulnerability metadata claims it is affected or not.

---

• Do you know of any standard or semi-standard ways of declaring the product/stream membership on an individual image (say, with a org.mitre.cpe.id annotation?)
• Is the community around the OCI image-spec interested in exploring the addition of such an annotation to the OCI image-spec (say, with a documented org.opencontainers.image.stream or org.opencontainers.image.cpe annotation?)

[sudo-bmitch]

Most are probably using Purl to identify the image. Trying to identify the content is problematic since one image can contain lots of components. That's better handled by attaching an SBOM as a referrer with various attestation and SBOM tools.

For a CPE annotation, I believe that would be best handled by an annotation defined by that group under a namespace controlled by them. I'm not aware of a standard annotation being used today.

[p-rog]

In my humble opinion the best place to combine image artifacts with product stream (supported version) where that image belongs to is the image SBOM. In the SBOM container image can be identified by thepurl with information about the source repository, and the product stream (version) can be added there and expressed by the cpe id.

The org.opencontainers.image.version is more associated with the image version itself, which can be equal to the image tag. In theory it can represent the product stream, but it sounds like vendor specific implementation. I like the idea of having in the OCI image-spec a dedicated product stream annotation, for example org.opencontainers.image.stream. The org.opencontainers.image.cpe can be misleading because sometimes the single image will be also considered as a product, hence it will contain the CPE id as well. But if it will be well clarified in the specification then could be used as well.