Generating SBOMs for confidential Kubernetes is easier than you think!

Constellation, our Confidential Kubernetes engine, is now open source. Check it out on GitHub or say Hi on Discord.

Constellation is an infrastructure product and includes several different components:

A command-line interface (CLI) manages the life-cycle of the Confidential Kubernetes cluster

In-cluster services provide features such as key management and secure node administration

A node operator handles upgrades of cluster nodes

All of these components could include a dependency with known vulnerabilities! How do we get the full picture to keep track of all our dependencies?

Software Bill of Materials

An SBOM comprises a list of all dependencies for a given software artifact in a standard data format, such as SPDX or CycloneDX. For more background on SBOMs see NTIA's overview.

Last year, many companies scrambled to determine, whether software they were running in production was vulnerable to Log4Shell. SBOMs allow organizations to answer these questions easily!

Generating SBOMs

Syft allows us to generate an SBOM for several different types of artifacts, using so-called catalogers. Supported ecosystems include OS level package managers, programming language build systems, container images, and file systems.

Go Modules

Go already keeps track of its dependencies via the go.mod and go.sum files. Running Syft from our go module's root directory will produce an SBOM based on these files!

syft --catalogers go-mod-file --file constellation.spdx.sbom -o

spdx-json

Container Images

Syft is also able to scan images from container registries. Instead of passing a local file system path, we simply provide the image reference and an SBOM for our container will be generated.

Having minimal container images based on scratch or distroless helps to keep the attack surface low!

CONTAINER_VERSION=v2.0.0 syft

ghcr.io/edgelesssys/constellation/verification-

service:${CONTAINER_VERSION} --file verification-

service.spdx.sbom -o spdx-json syft ghcr.io/edgelesssys/constellation/access-

manager:${CONTAINER_VERSION} --file access-manager.spdx.sbom -o

spdx-json syft ghcr.io/edgelesssys/constellation/join-

service:${CONTAINER_VERSION} --file join-service.spdx.sbom -o

spdx-json syft

ghcr.io/edgelesssys/constellation/kmsserver:${CONTAINER_VERSION}

--file kmsserver.spdx.sbom -o spdx-json syft

ghcr.io/edgelesssys/constellation/node-

operator:${CONTAINER_VERSION} --file node-operator.spdx.sbom -o

spdx-json

There is (experimental) support in docker CLI to generate an SBOM, which also uses Syft under the hood!

Conclusion

Syft helped us to easily and continuously generate SBOMs for our releases.

Customers can be assured that they have the full picture of what is included in our product and can import our SBOMs to solutions such as Dependency Track or BlackDuck to stay on top of vulnerabilities and upgrade Constellation to receive the latest mitigations in time!

Follow Edgeless Systems, to learn how we use SBOMs to keep Constellation secure and users in the loop on known vulnerabilities.

Author: Fabian Kammel