Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an SBOM URI field to artifact events #171

Merged
merged 2 commits into from
Jan 15, 2024
Merged

Add an SBOM URI field to artifact events #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bddc031
Add an SBOM URI field to artifact events
afrittoli Nov 25, 2023
85bdd0a
Convert the sbom-uri into an sbom object
afrittoli Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions continuous-integration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ An `artifact` is usually produced as output of a build process. Events need to b
| type | `String` | See [type](spec.md#type-subject) | `artifact` |
| change | `object` | The change (tag, commit, revision) of the repository which was used to build the artifact" | `{"id": "527d4a1aca5e8d0df24813df5ad65d049fc8d312", "source": "my-git.example/an-org/a-repo"}`, `{"id": "feature1234", "source": "my-git.example/an-org/a-repo"}` |
| signature | `string` | The signature of the artifact | `MEYCIQCBT8U5ypDXWCjlNKfzTV4KH516/SK13NZSh8znnSMNkQIhAJ3XiQlc9PM1KyjITcZXHotdMB+J3NGua5T/yshmiPmp` |
| sbom | [`sbom`](#sbom) | The Software Bill of Material (SBOM) associated with the artifact | `{"uri": "https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom"}` |

## Events

Expand Down Expand Up @@ -96,8 +97,9 @@ This event represents a Build task that has finished. This event will eventually
### [`artifact packaged`](examples/artifact_packaged.json)

The event represents an artifact that has been packaged for distribution; this artifact is now versioned with a fixed version.
This event is usually produced by the build system. If an SBOM URI is available at this stage, it should be included.

- Event Type: __`dev.cdevents.artifact.packaged.0.1.1`__
- Event Type: __`dev.cdevents.artifact.packaged.0.2.0-draft`__
- Predicate: packaged
- Subject: [`artifact`](#artifact)

Expand All @@ -107,12 +109,15 @@ The event represents an artifact that has been packaged for distribution; this a
| source | `URI-Reference` | See [source](spec.md#source-subject) | | |
| type | `String` | See [type](spec.md#type-subject) | `artifact` | |
| change | `object` | The change (tag, commit, revision) of the repository which was used to build the artifact" | `{"id": "527d4a1aca5e8d0df24813df5ad65d049fc8d312", "source": "my-git.example/an-org/a-repo"}`, `{"id": "feature1234", "source": "my-git.example/an-org/a-repo"}` | ✅ |
| sbom | [`sbom`](#sbom) | The Software Bill of Material (SBOM) associated with the artifact | `{"uri": "https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom"}` | |

### [`artifact published`](examples/artifact_published.json)

The event represents an artifact that has been published and it can be advertised for others to use.
This event may be produced both by the build system and by the artifact registry that received the artifact.
If an SBOM was published and the SBOM URI is available at this stage, it should be included.

- Event Type: __`dev.cdevents.artifact.published.0.1.1`__
- Event Type: __`dev.cdevents.artifact.published.0.2.0-draft`__
- Predicate: published
- Subject: [`artifact`](#artifact)

Expand All @@ -121,6 +126,7 @@ The event represents an artifact that has been published and it can be advertise
| id | `Purl` | See [id](spec.md#id-subject) | `pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427?repository_url=mycr.io/myapp`, `pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c` | ✅ |
| source | `URI-Reference` | See [source](spec.md#source-subject) | | |
| type | `String` | See [type](spec.md#type-subject) | `artifact` | |
| sbom | [`sbom`](#sbom) | The Software Bill of Material (SBOM) associated with the artifact | `{"uri": "https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom"}` | |

### [`artifact signed`](examples/artifact_signed.json)

Expand All @@ -137,3 +143,13 @@ An artifact may be signed after it has been packaged or sometimes after it has p
| source | `URI-Reference` | See [source](spec.md#source-subject) | | |
| type | `String` | See [type](spec.md#type-subject) | `artifact` | |
| signature | `string` | The signature of the artifact | `MEYCIQCBT8U5ypDXWCjlNKfzTV4KH516/SK13NZSh8znnSMNkQIhAJ3XiQlc9PM1KyjITcZXHotdMB+J3NGua5T/yshmiPmp` | ✅ |

## Objects

### `sbom`

Several events reference a Software Bill of Materials (SBOM). In CDEvents SBOMs are represented via the `sbom` object, which is a reference to an externally hosted SBOM. The `sbom` object includes a single `uri` field, and is defined as an object to allow for more fields to be added in a backwards compatible manner in future.

| Field | Type | Description | Examples |
|-------|------|-------------|----------|
| `uri` | `URI-Reference` | Link to an externally hosted SBOM. | `https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom` |
5 changes: 4 additions & 1 deletion examples/artifact_packaged.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"version": "0.4.0-draft",
"id": "271069a8-fc18-44f1-b38f-9d70a1695819",
"source": "/event/source/123",
"type": "dev.cdevents.artifact.packaged.0.1.1",
"type": "dev.cdevents.artifact.packaged.0.2.0-draft",
"timestamp": "2023-03-20T14:27:05.315384Z"
},
"subject": {
Expand All @@ -14,6 +14,9 @@
"change": {
"id": "myChange123",
"source": "my-git.example/an-org/a-repo"
},
"sbom": {
"uri": "https://sbom.repo/myorg/234fd47e07d1004f0aed9c.sbom"
}
}
}
Expand Down
8 changes: 6 additions & 2 deletions examples/artifact_published.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,17 @@
"version": "0.4.0-draft",
"id": "271069a8-fc18-44f1-b38f-9d70a1695819",
"source": "/event/source/123",
"type": "dev.cdevents.artifact.published.0.1.1",
"type": "dev.cdevents.artifact.published.0.2.0-draft",
"timestamp": "2023-03-20T14:27:05.315384Z"
},
"subject": {
"id": "pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c",
"source": "/event/source/123",
"type": "artifact",
"content": {}
"content": {
"sbom": {
"uri": "https://sbom.repo/myorg/234fd47e07d1004f0aed9c.sbom"
}
}
}
}
18 changes: 16 additions & 2 deletions schemas/artifactpackaged.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
"type": {
"type": "string",
"enum": [
"dev.cdevents.artifact.packaged.0.1.1"
"dev.cdevents.artifact.packaged.0.2.0-draft"
],
"default": "dev.cdevents.artifact.packaged.0.1.1"
"default": "dev.cdevents.artifact.packaged.0.2.0-draft"
},
"timestamp": {
"type": "string",
Expand Down Expand Up @@ -77,6 +77,20 @@
"required": [
"id"
]
},
"sbom": {
"properties": {
"uri": {
"type": "string",
"minLength": 1,
"format": "uri-reference"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uri"
]
}
},
"additionalProperties": false,
Expand Down
21 changes: 18 additions & 3 deletions schemas/artifactpublished.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
"type": {
"type": "string",
"enum": [
"dev.cdevents.artifact.published.0.1.1"
"dev.cdevents.artifact.published.0.2.0-draft"
],
"default": "dev.cdevents.artifact.published.0.1.1"
"default": "dev.cdevents.artifact.published.0.2.0-draft"
},
"timestamp": {
"type": "string",
Expand Down Expand Up @@ -59,7 +59,22 @@
"default": "artifact"
},
"content": {
"properties": {},
"properties": {
"sbom": {
"properties": {
"uri": {
"type": "string",
"minLength": 1,
"format": "uri-reference"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uri"
]
}
},
"additionalProperties": false,
"type": "object"
}
Expand Down
13 changes: 7 additions & 6 deletions tools/verify-examples.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,20 +44,21 @@ go install github.com/neilpa/[email protected]
# - examples are subject_predicate.json
# - schemas are subjectpredicate.json
num_failed=0
num_examples=$(ls "$EXAMPLES_FOLDER" | wc -l | awk '{ print $1 }')
for example in $(ls "$EXAMPLES_FOLDER"); do
SUBJECT_PREDICATE=$(basename $example .json)
num_examples=$(find "${EXAMPLES_FOLDER}" -type f -name '*json' | wc -l | awk '{ print $1 }')
for example in $(find "${EXAMPLES_FOLDER}" -type f -name '*json'); do
EXAMPLE_FILE=$(basename ${example})
SUBJECT_PREDICATE=$(basename $EXAMPLE_FILE .json)
splitArray=(${SUBJECT_PREDICATE//_/ })
SUBJECT=${splitArray[0]}
PREDICATE=${splitArray[1]}
EXAMPLE_FILE=${EXAMPLES_FOLDER}/${example}
SCHEMA_FILE=${SCHEMAS_FOLDER}/${SUBJECT}${PREDICATE}.json
echo "==> $SUBJECT $PREDICATE"
yajsv -s "$SCHEMA_FILE" "$EXAMPLE_FILE" || num_failed=$(( num_failed + 1 ))
echo yajsv -s "$SCHEMA_FILE" "$example"
yajsv -s "$SCHEMA_FILE" "$example" || num_failed=$(( num_failed + 1 ))
echo
done

if [ $num_failed -gt 0 ]; then
echo "${num_failed} out of ${num_examples} examples failed validation"
fi
exit $num_failed
exit $num_failed