Add Rekor file cataloger #1291

spiffcs · 2022-10-25T18:32:03Z

No description provided.

This PR adds the ability to discover build-time SBOMs from binaries with the Rekor transparency log. It does this by creating external document references for them in SPDX JSON. Explained in more detail in syft issue #1159 Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

github-actions · 2022-10-25T18:41:15Z

Benchmark Test Results

Benchmark results from the latest changes vs base branch

name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/alpmdb-cataloger-2                    14.2ms ± 5%    14.3ms ± 1%     ~     (p=0.690 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.64ms ± 3%    1.73ms ± 9%     ~     (p=0.151 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            4.32ms ±22%    4.08ms ± 6%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.37ms ± 6%    1.34ms ± 1%     ~     (p=0.548 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         935µs ± 4%     948µs ± 1%     ~     (p=0.421 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                    1.11ms ± 2%    1.11ms ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                    1.57ms ± 2%    1.58ms ± 1%     ~     (p=0.548 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      17.7ms ± 4%    17.6ms ± 3%     ~     (p=0.690 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.59ms ± 3%    1.53ms ± 2%   -3.70%  (p=0.032 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          8.47µs ± 2%    7.62µs ± 2%  -10.02%  (p=0.008 n=5+5)
ImagePackageCatalogers/dotnet-deps-cataloger-2               1.83ms ± 1%    1.75ms ± 0%   -4.32%  (p=0.008 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    911µs ± 3%     896µs ± 1%     ~     (p=0.548 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/alpmdb-cataloger-2                    5.26MB ± 0%    5.26MB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               202kB ± 0%     202kB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             945kB ± 0%     945kB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     214kB ± 0%     213kB ± 0%     ~     (p=0.587 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         158kB ± 0%     158kB ± 0%     ~     (p=0.516 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     199kB ± 0%     199kB ± 0%     ~     (p=0.095 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                     301kB ± 0%     301kB ± 0%   -0.12%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.44MB ± 0%    3.44MB ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.25MB ± 0%    1.25MB ± 0%     ~     (p=0.690 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          1.12kB ± 0%    1.12kB ± 0%     ~     (all equal)
ImagePackageCatalogers/dotnet-deps-cataloger-2                376kB ± 0%     377kB ± 0%     ~     (p=0.222 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    136kB ± 0%     136kB ± 0%     ~     (p=0.056 n=5+5)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/alpmdb-cataloger-2                     85.7k ± 0%     85.7k ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               4.24k ± 0%     4.23k ± 0%     ~     (p=0.333 n=4+5)
ImagePackageCatalogers/python-package-cataloger-2             16.5k ± 0%     16.5k ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     5.50k ± 0%     5.50k ± 0%     ~     (p=0.968 n=4+5)
ImagePackageCatalogers/javascript-package-cataloger-2         3.31k ± 0%     3.31k ± 0%     ~     (p=0.238 n=4+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     4.50k ± 0%     4.50k ± 0%     ~     (all equal)
ImagePackageCatalogers/rpm-db-cataloger-2                     8.11k ± 0%     8.11k ± 0%     ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       57.5k ± 0%     57.5k ± 0%     ~     (p=0.889 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      5.39k ± 0%     5.39k ± 0%     ~     (p=0.333 n=4+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            38.0 ± 0%      38.0 ± 0%     ~     (all equal)
ImagePackageCatalogers/dotnet-deps-cataloger-2                7.32k ± 0%     7.32k ± 0%     ~     (all equal)
ImagePackageCatalogers/portage-cataloger-2                    3.58k ± 0%     3.58k ± 0%     ~     (all equal)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

wagoodman · 2023-01-12T20:01:34Z

@spiffcs I'm curious about the next steps with this branch to get it into main. Can you shout out what's needed and what is blocking this?

mdeicas and others added 8 commits October 25, 2022 14:34

improvements to rekor cataloger code (#1175)

05d7111

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

External sources configuration (#1158)

a64a47c

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

Add rekor-cataloger parsing JSON SPDX document (#1235)

a655e74

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

chore: rebase kubecon commits for merge

a5b6c74

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

test: update cataloger test to remove old es

4b2177b

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

test: failing unit tests

3878d6b

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

tests: add correct fixtures for utils_test

e95bd5b

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

spiffcs force-pushed the kube-con-final branch from 2587a39 to e95bd5b Compare October 25, 2022 18:35

spiffcs added 2 commits October 27, 2022 11:55

refactor: remove EXPERIMENTAL

ae54571

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

lint: fix linter

dcf545a

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

wagoodman added WIP work in progress / do not merge blocked Progress is being stopped by something labels Jan 12, 2023

wagoodman changed the title ~~WIP: 🚧 Rekor File Cataloger Rebased onto main 🚧~~ Add Rekor file cataloger Jan 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Rekor file cataloger #1291

Add Rekor file cataloger #1291

spiffcs commented Oct 25, 2022

github-actions bot commented Oct 25, 2022 •

edited

wagoodman commented Jan 12, 2023

Add Rekor file cataloger #1291

Are you sure you want to change the base?

Add Rekor file cataloger #1291

Conversation

spiffcs commented Oct 25, 2022

github-actions bot commented Oct 25, 2022 • edited

Benchmark Test Results

wagoodman commented Jan 12, 2023

github-actions bot commented Oct 25, 2022 •

edited