Generate a SBOM for the Enterprise image

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

Author: jviotti

.github/workflows/ci.yml

@@ -31,6 +31,9 @@ jobs:
 
       - run: make docker PRESET=Release ${{ matrix.edition.options }}
 
+      - run: ./enterprise/scripts/sbom.sh one "$GITHUB_SHA"
+        if: matrix.edition.name == 'enterprise'
+
       - name: Sandbox (headless)
         uses: ./.github/actions/sandbox
         with:

.github/workflows/deploy.yml

@@ -167,12 +167,19 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository_owner }}/one-enterprise
 
+      - run: |
+          ./enterprise/scripts/sbom.sh \
+            "ghcr.io/${{ github.repository_owner }}/one-enterprise:${{ steps.meta.outputs.version }}" \
+            "${{ steps.meta.outputs.version }}" \
+            > /tmp/sbom.spdx.json
+
       - run: >
           ./enterprise/scripts/cosign.sh
           "ghcr.io/${{ github.repository_owner }}/one-enterprise"
           "${{ steps.meta.outputs.version }}"
           "https://token.actions.githubusercontent.com"
           "https://github.com/${{ github.repository }}/.github/workflows/deploy.yml@${{ github.ref }}"
+          "/tmp/sbom.spdx.json"
 
   release:
     needs: docker-multi-arch

enterprise/Dockerfile

@@ -100,6 +100,20 @@ RUN ldd /usr/bin/sourcemeta-one-index | grep libcrypto
 RUN grep -q 'fips = fips_sect' /etc/ssl/openssl.cnf
 RUN test -f /usr/lib/*/ossl-modules/fips.so
 
+# Remove packages not needed at runtime to reduce the image attack surface
+RUN apt-get --yes update && apt-get --yes purge --allow-remove-essential \
+  apt adduser bash debconf debian-archive-keyring diffutils \
+  e2fsprogs findutils gpgv grep gzip hostname init-system-helpers \
+  login logsave mount ncurses-base ncurses-bin passwd perl-base \
+  sed sysvinit-utils tzdata util-linux util-linux-extra \
+  && apt-get --yes autoremove --allow-remove-essential \
+  && rm -rf /var/lib/apt/lists/*
+RUN dpkg-query --show --showformat='${Package}\t${Version}\t${Homepage}\n' \
+  > /usr/share/sourcemeta/one/dpkg-packages
+RUN dpkg --purge --force-remove-essential --force-depends \
+  dpkg tar mawk \
+  && rm -rf /var/lib/dpkg
+
 # We expect images that extend this one to use this directory
 ARG SOURCEMETA_ONE_WORKDIR=/source
 ENV SOURCEMETA_ONE_WORKDIR=${SOURCEMETA_ONE_WORKDIR}

enterprise/scripts/cosign.sh

@@ -3,16 +3,17 @@
 set -o errexit
 set -o nounset
 
-if [ "$#" -ne 4 ]
+if [ "$#" -ne 5 ]
 then
-  echo "Usage: $0 <image> <version> <certificate-oidc-issuer> <certificate-identity>" 1>&2
+  echo "Usage: $0 <image> <version> <certificate-oidc-issuer> <certificate-identity> <sbom-file>" 1>&2
   exit 1
 fi
 
 IMAGE="$1"
 VERSION="$2"
 CERTIFICATE_OIDC_ISSUER="$3"
 CERTIFICATE_IDENTITY="$4"
+SBOM_FILE="$5"
 
 echo "Cosign: Extracting manifest digest for ${IMAGE}:${VERSION}" 1>&2
 MANIFEST=$(docker buildx imagetools inspect "${IMAGE}:${VERSION}" \
@@ -28,6 +29,9 @@ echo "Cosign: Manifest digest is ${DIGEST}" 1>&2
 echo "Cosign: Signing ${IMAGE}@${DIGEST}" 1>&2
 cosign sign --yes "${IMAGE}@${DIGEST}"
 
+echo "Cosign: Attaching SBOM attestation to ${IMAGE}@${DIGEST}" 1>&2
+cosign attest --yes --predicate "$SBOM_FILE" --type spdx "${IMAGE}@${DIGEST}"
+
 echo "Cosign: Verifying signature for ${IMAGE}@${DIGEST}" 1>&2
 echo "Cosign: OIDC issuer: ${CERTIFICATE_OIDC_ISSUER}" 1>&2
 echo "Cosign: Certificate identity: ${CERTIFICATE_IDENTITY}" 1>&2
@@ -37,3 +41,11 @@ cosign verify \
   "${IMAGE}@${DIGEST}"
 
 echo "Cosign: Signature verified successfully" 1>&2
+
+echo "Cosign: Verifying SBOM attestation for ${IMAGE}@${DIGEST}" 1>&2
+cosign verify-attestation --type spdx \
+  --certificate-oidc-issuer "$CERTIFICATE_OIDC_ISSUER" \
+  --certificate-identity "$CERTIFICATE_IDENTITY" \
+  "${IMAGE}@${DIGEST}"
+
+echo "Cosign: SBOM attestation verified successfully" 1>&2

enterprise/scripts/sbom.sh

@@ -0,0 +1,180 @@
+#!/bin/sh
+
+# Generates an SPDX 2.3 JSON Software Bill of Materials (SBOM) for the
+# Sourcemeta One Enterprise container image
+
+set -o errexit
+set -o nounset
+
+if [ $# -lt 2 ]; then
+  echo "Usage: $0 <image> <version>" 1>&2
+  exit 1
+fi
+
+IMAGE="$1"
+VERSION="$2"
+ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+
+if ! docker image inspect "$IMAGE" > /dev/null 2>&1; then
+  docker pull "$IMAGE" 1>&2
+fi
+cd "$ROOT" && npm ci --ignore-scripts 1>&2
+
+license_for() {
+  case "$1" in
+    core|blaze|hydra|codegen|jsonbinpack) echo "AGPL-3.0-or-later" ;;
+    jsonschema) echo "AGPL-3.0-only" ;;
+    uwebsockets) echo "Apache-2.0" ;;
+    bootstrap|bootstrap-icons) echo "MIT" ;;
+    pcre2) echo "BSD-3-Clause" ;;
+    zlib) echo "Zlib" ;;
+    curl) echo "curl" ;;
+    nghttp2|cpr|c-ares|libpsl) echo "MIT" ;;
+    *)
+      echo "ERROR: No license mapping for dependency: $1" 1>&2
+      exit 1
+      ;;
+  esac
+}
+
+is_blacklisted() {
+  case "$1" in
+    vendorpull|googletest|googlebenchmark) return 0 ;;
+    jsontestsuite|yaml-test-suite|jsonschema-test-suite) return 0 ;;
+    referencing-suite|uritemplate-test) return 0 ;;
+    pyca-cryptography|ctrf) return 0 ;;
+    mbedtls) return 0 ;;
+    public/*|collections/*) return 0 ;;
+    jsonschema-draft*|jsonschema-2019*|jsonschema-2020*) return 0 ;;
+    openapi*) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+# ---------------------------------------------------------------------------
+# Part A: npm packages
+# ---------------------------------------------------------------------------
+NPM_SBOM="$(cd "$ROOT" && npm sbom --sbom-format spdx --sbom-type library --omit dev 2>/dev/null)"
+NPM_ROOT_SPDXID="SPDXRef-Package-sourcemeta.one-0.0.0"
+NPM_PACKAGES="$(printf '%s' "$NPM_SBOM" | jq --arg root "$NPM_ROOT_SPDXID" \
+  '[.packages[] | select(.SPDXID == $root | not)]')"
+NPM_RELATIONSHIPS="$(printf '%s' "$NPM_SBOM" | jq \
+  '[.relationships[]
+    | select(.relationshipType == "DESCRIBES" | not)
+    | .relatedSpdxElement = "SPDXRef-RootPackage"]')"
+
+# ---------------------------------------------------------------------------
+# Part B: Vendored C++ dependencies from DEPENDENCIES files
+# ---------------------------------------------------------------------------
+SEEN_URLS_FILE="$(mktemp)"
+VENDOR_PACKAGES_FILE="$(mktemp)"
+VENDOR_RELATIONSHIPS_FILE="$(mktemp)"
+VENDOR_INDEX_FILE="$(mktemp)"
+DEPS_LIST_FILE="$(mktemp)"
+printf '1000' > "$VENDOR_INDEX_FILE"
+printf '[' > "$VENDOR_PACKAGES_FILE"
+printf '[' > "$VENDOR_RELATIONSHIPS_FILE"
+
+VENDOR_FIRST_FILE="$(mktemp)"
+printf 'true' > "$VENDOR_FIRST_FILE"
+
+trap 'rm -f "$SEEN_URLS_FILE" "$VENDOR_PACKAGES_FILE" "$VENDOR_RELATIONSHIPS_FILE" "$VENDOR_INDEX_FILE" "$VENDOR_FIRST_FILE" "$DEPS_LIST_FILE"' EXIT
+
+find "$ROOT" -name DEPENDENCIES -type f -not -path '*/.git/*' | sort > "$DEPS_LIST_FILE"
+
+while read -r deps_file; do
+  while read -r name url version; do
+    [ -z "$name" ] && continue
+    is_blacklisted "$name" && continue
+    grep -qFx "$url" "$SEEN_URLS_FILE" 2>/dev/null && continue
+    printf '%s\n' "$url" >> "$SEEN_URLS_FILE"
+
+    vendor_license="$(license_for "$name")"
+
+    vendor_index="$(cat "$VENDOR_INDEX_FILE")"
+    vendor_index=$((vendor_index + 1))
+    printf '%s' "$vendor_index" > "$VENDOR_INDEX_FILE"
+    vendor_spdxid="SPDXRef-Vendor-${vendor_index}"
+
+    vendor_first="$(cat "$VENDOR_FIRST_FILE")"
+    if [ "$vendor_first" = true ]; then
+      printf 'false' > "$VENDOR_FIRST_FILE"
+    else
+      printf ',' >> "$VENDOR_PACKAGES_FILE"
+      printf ',' >> "$VENDOR_RELATIONSHIPS_FILE"
+    fi
+
+    jq -n --arg name "$name" --arg spdxid "$vendor_spdxid" \
+      --arg version "$version" --arg url "$url" \
+      --arg license "$vendor_license" \
+      '{ name: $name, SPDXID: $spdxid, versionInfo: $version,
+         downloadLocation: $url, filesAnalyzed: false,
+         licenseDeclared: $license }' >> "$VENDOR_PACKAGES_FILE"
+
+    jq -n --arg spdxid "$vendor_spdxid" \
+      '{ spdxElementId: $spdxid,
+         relatedSpdxElement: "SPDXRef-RootPackage",
+         relationshipType: "DEPENDENCY_OF" }' >> "$VENDOR_RELATIONSHIPS_FILE"
+  done < "$deps_file"
+done < "$DEPS_LIST_FILE"
+
+printf ']' >> "$VENDOR_PACKAGES_FILE"
+printf ']' >> "$VENDOR_RELATIONSHIPS_FILE"
+
+# ---------------------------------------------------------------------------
+# Part C: System packages from the Docker image
+# ---------------------------------------------------------------------------
+DPKG_OUTPUT="$(docker run --rm --entrypoint cat "$IMAGE" /usr/share/sourcemeta/one/dpkg-packages)"
+
+DPKG_PACKAGES="$(printf '%s' "$DPKG_OUTPUT" | jq -R --argjson start 2000 '
+  split("\t") | select(length >= 2) |
+  { name: .[0],
+    SPDXID: ("SPDXRef-System-" + (input_line_number + $start | tostring)),
+    versionInfo: .[1],
+    downloadLocation: (if .[2] and (.[2] == "" | not) then .[2] else "NOASSERTION" end),
+    filesAnalyzed: false,
+    licenseDeclared: "NOASSERTION" }
+' | jq -s '.')"
+
+DPKG_RELATIONSHIPS="$(printf '%s' "$DPKG_PACKAGES" | jq '[.[] | {
+  spdxElementId: .SPDXID,
+  relatedSpdxElement: "SPDXRef-RootPackage",
+  relationshipType: "DEPENDENCY_OF"
+}]')"
+
+# ---------------------------------------------------------------------------
+# Part D: Assemble the final SPDX 2.3 JSON document
+# ---------------------------------------------------------------------------
+jq -n \
+  --arg version "$VERSION" \
+  --argjson npm_packages "$NPM_PACKAGES" \
+  --argjson npm_relationships "$NPM_RELATIONSHIPS" \
+  --slurpfile vendor_packages "$VENDOR_PACKAGES_FILE" \
+  --slurpfile vendor_relationships "$VENDOR_RELATIONSHIPS_FILE" \
+  --argjson dpkg_packages "$DPKG_PACKAGES" \
+  --argjson dpkg_relationships "$DPKG_RELATIONSHIPS" \
+  '{
+    spdxVersion: "SPDX-2.3",
+    dataLicense: "CC0-1.0",
+    SPDXID: "SPDXRef-DOCUMENT",
+    name: "sourcemeta-one-enterprise",
+    documentNamespace: ("https://sourcemeta.com/spdx/" + $version),
+    creationInfo: {
+      created: (now | strftime("%Y-%m-%dT%H:%M:%SZ")),
+      creators: ["Tool: enterprise/scripts/sbom.sh"]
+    },
+    documentDescribes: ["SPDXRef-RootPackage"],
+    packages: ([{
+      name: "sourcemeta-one-enterprise",
+      SPDXID: "SPDXRef-RootPackage",
+      versionInfo: $version,
+      downloadLocation: "https://github.com/sourcemeta/one",
+      filesAnalyzed: false,
+      licenseDeclared: "NOASSERTION"
+    }] + $npm_packages + $vendor_packages[0] + $dpkg_packages),
+    relationships: ([{
+      spdxElementId: "SPDXRef-DOCUMENT",
+      relatedSpdxElement: "SPDXRef-RootPackage",
+      relationshipType: "DESCRIBES"
+    }] + $npm_relationships + $vendor_relationships[0] + $dpkg_relationships)
+  }'