feat: add SBOM in sync-request metadata #43
Conversation
Signed-off-by: felipecruz91 <[email protected]>
| "olympos.io/encoding/edn" | ||
| ) | ||
|
|
||
| func BuildLocalEvalMocks(sb *types.SBOM) map[edn.Keyword]edn.RawMessage { |
There was a problem hiding this comment.
This is already handled in this package here, do we specifically need to pass the sbom from the cli tool to the evaluator?
Fwiw, scout-cli-plugin also already does this mock, which takes precedence in go-skill if passed (so if the fields need to be expanded we can update scout-cli-plugin once instead of updating this repo and all policy repos).
There was a problem hiding this comment.
Yes, we would like to use the existing SBOM struct as a standardised API for synchronous policy evaluation.
That struct encapsulates basically all the useful information that we have about a given image, so we can make changes to policies and introduce new policies without needing to rely on any CLI changes to pass new data.
It also gives us a way of getting local attestations (with the help of containerd) into policy evaluation.
There was a problem hiding this comment.
Okay, I see the idea now. And now that I think about it, I agree it's the right move as well.
Two follow-up thoughts then:
- This won't be a "legacy" thing if it's how we're planning to do local eval in the long-run, so let's not put it in the legacy package.
- Let's try to remove the corresponding mocking logic from go-skill and
scout-cli-pluginas we are given opportunities to, so that we don't end up holding onto them for some cross-project version combinations.- The packages query mock in this repo will need to remain to support old CLI versions.
- The user query mock in this repo is released and used by
non-root-user-skill, so we'll need to hold onto it for a while as well. - The packages mock in
scout-cli-pluginthat I linked above is not used by any released skills, to my knowledge. Once this PR is merged, I'll make surepolicy-vulnerabilitiesis updated to use the SBOM version, and the mock is removed.
This PR extends the sync-request metadata to include the new
SBOMfield. The Scout CLI will use this field when evaluating a policy locally to send the SBOM to the policy skill. The policy skill will consume it to build the mocks locally.This is piece of work is part of https://www.notion.so/dockerinc/Local-evaluation-Add-support-for-local-attestations-containerd-5a692d03dda94fd1970565113f1c7127?pvs=4.