kyverno: [Bug] SBOM is not associated with digest corresponding to released tag

Kyverno Version

1.7.0

Description

In looking at the releaser CI action, the SBOM that is uploaded is not referencing the same digest as that of the tagged image.

The image kyverno/kyverno:v1.7.0 has a SHA256 digest of 1746bf4c3286c68bdf5412d1a3d8c645060736d012042556e320d954b8e633e4. The SBOM is being signed against an untagged image with a digest of 31238b385193fe96f9c02070fe87a9ebfafa26efc9fd78110293988a2c89a110. This in turns causes fetching of the SBOM to fail because the image tag resolves to a digest which does not have an SBOM.

$ COSIGN_REPOSITORY=ghcr.io/kyverno/sbom cosign download sbom ghcr.io/kyverno/kyverno:v1.7.0
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature.
Error: image not found in registry
main.go:52: error during command execution: image not found in registry

When the SBOM is fetched for the untagged image by referencing its digest, one is located.

$ COSIGN_REPOSITORY=ghcr.io/kyverno/sbom cosign download sbom ghcr.io/kyverno/kyverno@sha256:31238b385193fe96f9c02070fe87a9ebfafa26efc9fd78110293988a2c89a110 | jq .metadata.component
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature.
Found SBOM of media type: application/vnd.cyclonedx
{
  "bom-ref": "pkg:golang/github.com/kyverno/kyverno@v1.7.0?type=module#cmd/kyverno",
  "type": "application",
  "name": "github.com/kyverno/kyverno",
  "version": "v1.7.0",
  "purl": "pkg:golang/github.com/kyverno/kyverno@v1.7.0?type=module#cmd/kyverno",
  "externalReferences": [
    {
      "url": "https://github.com/kyverno/kyverno",
      "type": "vcs"
    }
  ],
  "properties": [
    {
      "name": "cdx:gomod:build:env:CGO_ENABLED",
      "value": "1"
    },
    {
      "name": "cdx:gomod:build:env:GOARCH",
      "value": "amd64"
    },
    {
      "name": "cdx:gomod:build:env:GOOS",
      "value": "linux"
    },
    {
      "name": "cdx:gomod:build:env:GOVERSION",
      "value": "go1.17.10"
    }
  ],
  "evidence": {
    "licenses": [
      {
        "license": {
          "id": "Apache-2.0"
        }
      }
    ]
  }
}

In the CI workflow, please ensure the SBOM is generated and pushed for the digest corresponding to the released tag.

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 22 (22 by maintainers)

Most upvoted comments

Tested and is working with a pre-release for 1.8.1-rc1, but the final verification will be when the actual 1.8.1 release is generated.

COSIGN_REPOSITORY=ghcr.io/kyverno/sbom cosign download sbom ghcr.io/kyverno/kyverno:v1.8.1-rc1
+1
chipzoller on Oct 17, 2022

That might be what it was originally pushed as, but the current tag of v1.7.0 doesn’t resolve to that digest. Question is why?

+1
chipzoller on Jun 16, 2022

@developer-guy we possibly could use your assistance on this one if you are so inclined.

+1
chipzoller on Jun 6, 2022
Read more comments on GitHub
← kyverno: [BUG] Rule stats are off!
kyverno: [BUG] Scaling Deployment passing through validation →