Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SBOM] Add information about the job that generated the attested artifacts #3533

Closed
netomi opened this issue Nov 14, 2023 · 2 comments · Fixed by #3537
Closed

[SBOM] Add information about the job that generated the attested artifacts #3533

netomi opened this issue Nov 14, 2023 · 2 comments · Fixed by #3537
Labels
aix Issues that affect or relate to the AIX OS enhancement Issues that enhance the code or documentation of the repo in any way jenkins Issues that enhance or fix our jenkins server

Comments

@netomi
Copy link
Contributor

netomi commented Nov 14, 2023

The sbom should contain also a reference to the build that produces the artifact and provenance, e.g. the jenkins build url.

This information could be captured as property, e.g.

Furthermore, the sbom should capture information how the pipeline script was generated, i.e. include the following:

  • reference the ci-jenkins-pipelines repo with digest
  • reference the script that was used to generate the pipeline file
@netomi netomi added the enhancement Issues that enhance the code or documentation of the repo in any way label Nov 14, 2023
@github-actions github-actions bot added aix Issues that affect or relate to the AIX OS jenkins Issues that enhance or fix our jenkins server labels Nov 14, 2023
@netomi netomi mentioned this issue Nov 14, 2023
Closed
@netomi
Copy link
Contributor Author

netomi commented Nov 14, 2023
edited
Loading

To give a reference how this is currently handled by SLSA. Here is an excerpt of the attestation produced for the slsa builder docker image as published here:

https://github.com/slsa-framework/slsa-github-generator/releases/download/v1.9.0/slsa-builder-docker-linux-amd64.intoto.jsonl

The reference to the actual build job is captured in metadata -> buildInvationId

image

to access the run you have to figure out the url yourself:

https://github.com/slsa-framework/slsa-github-generator/actions/runs/5945355419-1

@sxa
Copy link
Member

sxa commented Nov 14, 2023

The BUILD_URL environment variable that gets passed from jenkins should be adequate for this.
There's also RUN_DISPLAY_URL but that redirects to a BlueOcean view.
We should also look at making sure that the release pipelines don't get deleted where possible, other than the attached artefacts (which will be stored in GitHub as well as on the parent pipeline)

@sxa sxa mentioned this issue Nov 14, 2023
Open
@netomi netomi changed the title [SBOM] Add information about the build that generated the attested artifacts [SBOM] Add information about the job that generated the attested artifacts Nov 14, 2023
@sxa sxa mentioned this issue Nov 16, 2023
Merged
@sxa sxa closed this as completed in #3537 Nov 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aix Issues that affect or relate to the AIX OS enhancement Issues that enhance the code or documentation of the repo in any way jenkins Issues that enhance or fix our jenkins server
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sbom: Updates to include builder name and CI link sxa/temurin-build
2 participants
@netomi @sxa