feat(image): add Sigstore bundle SBOM support #9516
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add support for extracting DSSE payloads from Sigstore bundles when processing OCI referrer SBOMs. This enables Trivy to handle SBOM attestations created with newer Cosign versions that use the bundle format. - Add extractDSSEFromSigstoreBundle method to parse Sigstore bundles - Update parseReferrer to handle Sigstore bundle artifact type - Add SigstoreBundleArtifactType constant and include in supported types - Includes test coverage with test data files
|
I just saw that it might be a bit cleaner to add a "SigstoreBundle" as a Pseudo SBOM format such as the DSSE -> In-toto -> CycloneDx wrapper here Happy to change the implementation if that would be preferred. |
| } | ||
| defer os.Remove(dsseFilePath) | ||
| filePath = dsseFilePath | ||
| fmt.Printf("DEBUG: Extracted DSSE to file: %s\n", dsseFilePath) |
There was a problem hiding this comment.
you can use a.logger.Debug
Comment on lines
+160
to
+167
| tmpFile.Close() | ||
| os.Remove(tmpFile.Name()) | ||
| return "", xerrors.Errorf("failed to write DSSE envelope: %w", err) | ||
| } | ||
| if err = tmpFile.Close(); err != nil { | ||
| os.Remove(tmpFile.Name()) | ||
| return "", xerrors.Errorf("failed to close temp file: %w", err) | ||
| } |
There was a problem hiding this comment.
Can we use defer for this?
| MediaType string `json:"mediaType"` | ||
| } | ||
|
|
||
| func (a Artifact) extractDSSEFromSigstoreBundle(bundlePath string) (string, error) { |
There was a problem hiding this comment.
Can we use temp dir from parseReferrer?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add support for extracting DSSE payloads from Sigstore bundles when processing OCI referrer SBOMs. This enables Trivy to handle SBOM attestations created with newer Cosign versions that use the new sigstore bundle format.
Related issues
Checklist
I've added usage information (if the PR introduces new options)I've included a "before" and "after" example to the description (if the PR is a user interface change).