ksoclabs / kbom Goto Github PK
View Code? Open in Web Editor NEWKBOM - Kubernetes Bill of Materials
KBOM - Kubernetes Bill of Materials
I'd like to be able to generate my KBOM in SPDX format.
GO Version
go version go1.20.3 linux/amd64
OS
Red Hat Enterprise Linux 8.6 (Ootpa)
Command:
make build
Error:
../../.go/src/runtime/security_linux.go:14:9: undefined: secureMode
../../.go/src/runtime/security_unix.go:55:17: undefined: fcntl
Given a kbom (v0.2.4) generated bom file with a set of 'container' type components that include package URL (purl
) fields reflecting, presumably, docker images that are resources in the kubernetes cluster.
The bom is CycloneDX json format. I am also using another open source tool: https://github.com/CycloneDX/cyclonedx-python-lib. Specifically, I am using the from_json()
method available with the project's Bom
class to deserialize from a CycloneDX JSON BOM (ie, the afore mentioned kbom bom file).
At the point where the first purl
in the bom is encountered, and exception is thrown.
PURL string supplied (pkg:registry.k8s.io/kube-scheduler:v1.26.1@sha256:af0292<snip>) does not parse!
File "/some/path/venv/lib/python3.8/site-packages/cyclonedx/serialization/__init__.py", line 66, in deserialize
return PackageURL.from_string(purl=str(o))
File "/some/path/venv/lib/python3.8/site-packages/packageurl/__init__.py", line 512, in from_string
raise ValueError(msg)
ValueError: Invalid purl 'pkg:registry.k8s.io/kube-scheduler:v1.26.1@sha256:af0292<snip>' cannot contain a "user:pass@host:port" URL Authority component: ''.
This exception is coming from cyclonedx-python-lib's usage of https://github.com/package-url/packageurl-python 's PackageURL.from_string()
.
That usage isn't arbitrary. The CycloneDX v1.5 specification for the 'purl' indicates a purl
MUST be valid and conform to the specification defined at: https://github.com/package-url/purl-spec.
It appears that a portion of the kbom generated URL is being interpreted as a "URL Authority component" and those are not allowed. See bullet 3 of section "A purl is a URL" in the purl-spec.
Do you agree that the format of purl
fields currently generated by kbom do not adhere to the required format as prescribed by CycloneDX specificications?
It would be desirable to be able to interoperate with another emerging open source toolset like cyclonedx-python-lib.
If the kbom generated purl
is altered as follows, packageurl
is happy. Note: sha shortened for brevity.
"pkg:docker/registry.k8s.io/kube-scheduler@sha256:af029?tag=v1.26.1"
In particular, from the seven components the purl-spec defines:
pkg:
- Per the spec, only pkg scheme defined.docker
- Added this per the pkg type that spec defines.registry.k8s.io
- not sure if this is best here or as a qualifier per the example in the spec.kube-scheduler
- the image namethe sha digest value
- moved around a bittag=v1.26.1
- moved to a qualifier so as to not lose this informationI am uncertain on whether my qualifiers are good our not. It was an attempt to retain the tag.
I was attempting to craft a purl where all the information needed to pull the image was there, even if not available
in a direct copy/paste form. Not that there is a requirement for that perse, but it seems to me it would be potentially useful to the consumers of SBOMs (automated or otherwise). The docker image can still be pulled using 'docker pull registry.k8s.io/kube-scheduler@sha256:af0292c...' (not including qualifiers). Automations should be able to further parse and craft pull commands.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
k8s.io/api
, k8s.io/apimachinery
, k8s.io/client-go
)build/package/Dockerfile.gorelease
alpine 3.19.0
.github/workflows/build.yml
actions/checkout v4
actions/checkout v4
actions/setup-go v5
goreleaser/goreleaser-action v5
anchore/scan-action v3
github/codeql-action v3
.github/workflows/golangci-lint.yml
actions/checkout v4
actions/setup-go v5
golangci/golangci-lint-action v3.7.0
.github/workflows/release.yml
actions/checkout v4
actions/checkout v4
actions/setup-go v5
sigstore/cosign-installer v3
anchore/sbom-action v0
docker/login-action v3
goreleaser/goreleaser-action v5
CycloneDX/gh-gomod-generate-sbom v2
.github/workflows/scan.yml
actions/checkout v4
actions/setup-go v5
github/codeql-action v3
github/codeql-action v3
github/codeql-action v3
.github/workflows/test.yml
actions/checkout v4
actions/setup-go v5
go.mod
go 1.21
github.com/CycloneDX/cyclonedx-go v0.7.2
github.com/Masterminds/semver v1.5.0
github.com/distribution/reference v0.5.0
github.com/google/uuid v1.5.0
github.com/invopop/jsonschema v0.12.0
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/rs/zerolog v1.31.0
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.18.2
github.com/stretchr/testify v1.8.4
golang.org/x/term v0.15.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.29.0
k8s.io/apimachinery v0.29.0
k8s.io/client-go v0.29.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.