Codenotary SBOM integration
SBOM, which stands for Software Bill of Materials, presents a codebase with open source and third-party components, including licensing information, components' versions and if there are any known vulnerabilities in those components.
AlmaLinux Build System has an SBOM implemented into the pipeline for security purposes:
- Tracing the whole build process from pulling sources from CentOS git repositories to releasing a verified and signed package in the public repository
- Making the build pipeline more secure like ensuring that only trusted sources are used for builds, avoiding attack consequences, etc
- Reducing the number of ways of data corruption
Codenotary Community Attestation Service (CAS) integration with AlmaLinux allows us to have a chain of trust and trace it:
Each stage goes through authentication and notarization:
- All sources pulled by the Git Updater are to be notarized and an upstream commit CAS hash is stored.
- After updating the AlmaLinux git repository with these upstream sources, the AlmaLinux sources and the upstream CAS are to be notarized. AlmaLinux CAS hash of the commit is stored for tracing the source.
- Build Node after receiving a build task finds and clones AlmaLinux git repository. It authenticated the git commit using CAS and if it's notarized and trusted, packages from AlmaLinux git are built. If the git commit is untrusted, the build will be marked as having unverifiable sources.
- When the build completes, build artifacts are to be notarized, and CAS hash is stored.
- Build Node uploads build artifacts to PULP. PULP stores only notarized and trusted artifacts that passed authenticating via CAS successfully.
- Sign Node downloads unsigned package from PULP according to assigned sign task. If an unsigned package passes authenticating for being trusted and notarized, Sign Node will sign it and send it to CAS to be notarized. CAS hash is stored.
- Sign Node uploads signed package back to PULP. PULP authenticates the package, whether it's notarized and trusted via CAS, and sends a report with the status and CAS hash to Build Master Service.
- A user can use CAS to authenticate a downloaded package for being notarized and trusted.
Due to implemented SBOM into the AlmaLinux Build System pipeline, each build has a sign, that indicates if a build is trusted or not:
- Blue key sign goes for a trusted build. This sign shows the CAS hash when hovering over it. Click it to copy the CAS hash of the package for generating an SBOM record.
- Red crossed key goes for not authenticated or notarized build
Such signs can be seen near build sources and build artifacts.
AlmaLinux's developed SBOM data management utility that allows using a command line to create SBOM records for builds and packages. The utility was designed using CycloneDX. Before using the CLI, please, check the requirements.
Follow these steps to create an SBOM record:
-
Clone the AlmaLinux SBOM repository and switch to its directory
-
Create a python virtual environment:
python3.9 -m venv env -
Activate the virtual environment:
source env/bin/activate -
Install dependencies:
python setup.py install -
Run the
python alma_sbom.pycommand with arguments to create an SBOM record. AlmaLinux SBOM utility accepts the following options:- --output-file - the file name you want to save the generated SBOM to. Without providing this argument, generated SBOM results will be shown in the terminal as an output.
- --file-format - defined SBOM type and file format to generate. At the moment, only the CycloneDX type format is supported. SPDX format support will be added shortly. As for the file format, it has to be defined as JSON or XML format. t. The output format you want to use, either JSON or XML
- --build-id or --rpm-package-hash - only one of these arguments, the build ID or the CAS hash of the package, has to be defined.
- --signer-id - the default CAS signer ID is [email protected] is used. If different, provide the CAS signer ID you need.
- --albs-url - the URL of the AlmaLinux Build System, if different from the production one, https://build.almalinux.org
Here is the command example of generating an SBOM record using the build ID option:
python alma_sbom.py --output-file 4377.json --file-format cyclonedx-json --build-id 4377The command example with the CAS hash of the package:
python alma_sbom.py --output-file 4377.json --file-format cyclonedx-json --rpm-package-hash ea86fc90016f326941cfe2f66f9b7b4f543fe322a76c6cdedd164d6efb874d3cHere is the sample output you can see:
{
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", # schema version from CycloneDX
"bomFormat": "CycloneDX", # only CyclonDX format is supported at the moment
"specVersion": "1.4",
"serialNumber": "urn:uuid:75c9eea3-cb31-46b8-9d9e-d02729ccc161",
"version": 2,
"metadata": {
"timestamp": "2022-09-28T22:09:37.885379+00:00", # date-time stamp when the SBOM record was created
"tools": [ # a list of tools and resources that were used to create the SBOM record
{
"vendor": "AlmaLinux OS Foundation", # AlmaLinux Build System
"name": "AlmaLinux Build System",
"version": "0.1"
},
{
"vendor": "AlmaLinux OS Foundation", # AlmaLinux SBOM utility
"name": "alma-sbom",
"version": "0.0.1"
},
{
"vendor": "Codenotary Inc", # Community Attestation Service
"name": "Community Attestation Service (CAS)",
"version": "1.0.0"
},
{
"vendor": "CycloneDX", # CyclonDX library used to develop the CLI
"name": "cyclonedx-python-lib",
"version": "2.7.1",
"externalReferences": [
{
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions",
"type": "build-system"
},
...
]
}
],
"component": { # a component (package) the SBOM record was generated for
"type": "library", # type defined according to CycloneDX
"bom-ref": "97ce7b5f-6570-43e0-8a57-9216bd88f94b", # BOM reference
"author": "eabdullin1 <[email protected]>", # author of the build
"name": "build-4377", # the build ID
"properties":[ # a list of the component's properties
{
"name": "almalinux:albs:build:ID", # the build ID
"value": "4377"
},
{
"name": "almalinux:albs:build:URL", # the build URL
"value": "https://build.almalinux.org/build/4377"
},
{
"name": "almalinux:albs:build:timestamp", # data-time stamp when the build was created in AlmaLinux Build System
"value": "2022-09-16T13:06:23.304884"
}
]
}
},
"components": [ # a list of components (packages) that are build artifacts and package metadata
{
"type": "library",
"bom-ref": "9bea972d-e7f9-4a38-8925-c3ff2cc37c16",
"publisher": "AlmaLinux",
"name": "aspnetcore-runtime-6.0",
"version": "6.0.9",
"hashes": [
{
"alg": "SHA-256",
"content": "5e91bb959adb8f9f28cb631904bce513c3fc3ca5597b2f235512a43ec3e0e834"
}
],
"cpe": "cpe:2.3:a:almalinux:aspnetcore-runtime-6.0:6.0.9-1.el8_6:*:*:*:*:*:*:*",
"purl": "pkg:rpm/almalinux/[email protected]_6?arch=s390x",
"properties": [
{
"name": "almalinux:abls:build:packageType",
"value": "rpm"
},
...
{
"name": "almalinux:sbom:casHash", # each build artifact is notarized with CAS; this CAS hash value can be used to see SBOM information using the CAS tool
"value": "5e91bb959adb8f9f28cb631904bce513c3fc3ca5597b2f235512a43ec3e0e834"
}
]
}
]
} Note: The CAS hash of a build artifact that you can see in components in the SBOM record output can be used to see the SBOM information using the CAS tool. See the Using the CAS tool section.
Implementing SBOM into the AlmaLinux Build System pipeline also made it possible to check SBOM information using the CAS CLI.
- Follow the CAS instructions to get the CAS utility, the API key and login to be able to authenticate packages.
- Get the CAS hash of the package from AlmaLinux Build System
- Run the
cas authenticatecommand with options:
cas authenticate --signerID [email protected] --hash 5e91bb959adb8f9f28cb631904bce513c3fc3ca5597b2f235512a43ec3e0e834
Here is a sample example of the output. You can see all information about a package, including its CAS hashes of a package and commit, package metadata, and the status if it's trusted or not.
UID: 1663343942488246909
Kind: file
Name: aspnetcore-runtime-6.0-6.0.9-1.el8_6.s390x.rpm
Hash: 5e91bb959adb8f9f28cb631904bce513c3fc3ca5597b2f235512a43ec3e0e834
Size: 2.9 MB
Timestamp: 2022-09-16 15:59:02.488246909 +0000 UTC
ContentType: application/x-rpm
Metadata: build_arch="s390x"
built_by="eabdullin1 \[email protected]\u003e"
sbom_api="0.1"
source_type="git"
unsigned_hash="9e2ed61a4212935a8ccb67a6c683a65ba9d1e9308c5b1d5b3a7d667099284f54"
alma_commit_sbom_hash="36b6b6f605dd7f343fd04bd95512bf74db012921c554ec3f3b08c2f72eb112c7"
build_id="4377"
git_commit="36d9020ae1b1ed268ab84c3fcab537859e781dc0"
git_ref="imports/c8/dotnet6.0-6.0.109-1.el8_6"
git_url="https://git.almalinux.org/rpms/dotnet6.0.git"
build_host="https://build.almalinux.org/api/v1/"
SignerID: Y2xvdWQtaW5mcmFAYWxtYWxpbnV4Lm9yZw==
Apikey revoked: no
Status: TRUSTEDYou can use the alma_commit_sbom_hash to see the same information about the source that was used to build the package.
Check the contributing section if you are interested in contributing to the AlmaLinux SBOM data management utility. If you found a bug or have a question, please, file an issue.