Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Proposed Solution

When publishing a binary package from GitHub Actions, such as a NuGet package:

  1. Build an SBOM file
  2. Build a provenance file
  3. Publish binary artifact to the relevant artifact repository (e.g. Azure Artifacts for NuGet packages)
  4. If this is a production release
    1. Create a release in GitHub
    2. Attach SBOM to the release
    3. Attach provenance to the release

On step 4, if there is no clear distinction during the build process between pre-release and production release, then simply create a GitHub release every time. 

The SBOM and provenance files can be saved as artifacts on the job; however, they will have a limited availability due to retention policies. The GitHub Release provides permanent storage for these files.

Proof of Concept

SBOM

Microsoft has produced a .NET tool for generating SBOMs, an open sourced it in July, 2022: Microsoft open sources its software bill of materials (SBOM) generation tool. This tool appears to be a good start for our needs, though no doubt we will need to iterate on process - and potentially tool - as we learn more about SBOMs.

To use it:

  1. Create NuGet package(s) that will be covered by the SBOM.
  2. Download the tool.
  3. Generate a manifest list - the list of NuGet packages to be inspected.
  4. Run the tool with proper parameters

The following code will run this in Bash:

curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 --silent
chmod +x sbom-tool
find ./*.nupkg  -printf "%f\n" > buildfilelist.txt
mkdir manifest
sbom-tool generate \
            -b ./ \
            -bl ./buildfilelist.txt \
            -bc ./Application/ \
            -pn AdminApp \
            -pv "0.0.1" \
            -nsb https://ed-fi.org \
            -m manifest -ps "Ed-Fi Alliance"

The pv parameter is the product version; in this demonstration it is hard-coded to "0.0.1".

Provenance

The SLSA community has created a set of tools for use in GitHub to generate provenance information, at https://github.com/slsa-framework/slsa-github-generator. This tool is described in a Google developer blog post, Improving software supply chain security with tamper-proof builds.

The tool is easily integrated into GitHub Actions. Understanding the provenance is non-trivial; since the people defining the standard for provenance is responsible for this tool, we assume it is generating it correctly.

The  tool requires a hash value of the packages files. The following only generates one hash value, and this might not be correct. Needs further research.

echo "::set-output name=hashes::$(sha256sum *.nupkg | base64 -w0)"




  • No labels