Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1ES Pipeline Templates generates SBOMs for our SBOMs #1331

Open
lbussell opened this issue Jun 12, 2024 · 5 comments
Open

1ES Pipeline Templates generates SBOMs for our SBOMs #1331

lbussell opened this issue Jun 12, 2024 · 5 comments

Comments

@lbussell
Copy link
Contributor

lbussell commented Jun 12, 2024

We compute and upload our container image SBOMs ourselves, and upload them as a pipeline artifact. 1ES pipeline templates also generates an SBOM for every pipeline artifact that's published. Thus, 1ES pipeline templates ends up generating a (useless) SBOM for our real SBOMs. The result is that it's difficult to traverse the pipeline artifacts and grab a useful SBOM. We should find a way to stop uploading these meta-SBOMs.

Example:

  • The sboms folder is what we upload.
  • It contains SBOMs for each of the images in its own folder.
  • 1ESPT injects the _manifest folder which contains the SBOMs for our SBOMs.

image

Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

1 similar comment
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@lbussell
Copy link
Contributor Author

[Triage] The 1ES pipeline templates documentation specifies how to disable SBOM generation for specific artifacts: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sbom

@lbussell lbussell moved this from Backlog to Current Release in .NET Docker Jun 13, 2024
@lbussell lbussell changed the title 1ES Pipeline Templates generate SBOMs for our SBOMs 1ES Pipeline Templates generates SBOMs for our SBOMs Jul 10, 2024
@lbussell lbussell moved this from Current Release to Sprint in .NET Docker Aug 13, 2024
@lbussell lbussell moved this from Sprint to Post Release in .NET Docker Sep 23, 2024
@lbussell
Copy link
Contributor Author

I ran some tests with disabling SBOM on pipeline artifacts since we never emit shipping code as pipeline artifacts. This causes us to run into issues with generating SBOM manifests for our container images, due to #1283. That will need to be reverted for this change to work.

Pipeline test runs: docker-tools, dotnet-docker

@lbussell
Copy link
Contributor Author

[Triage] We should first focus on disabling SBOM generation for other SBOMs, rather than disabling SBOM generation for all pipeline artifacts. We can revisit the necessity of other SBOMs at a later date.

@lbussell lbussell moved this from Post Release to Current Release in .NET Docker Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Current Release
Development

No branches or pull requests

1 participant