Add native sboms with buildkit #50
Description
We need to have SBoMs on our container images, in order to consume and compose them at a later stage for all of eve. This PR on eve does that for all of the in-eve-repo packages.
For this one, we need to do 2 things:
- Do our custom scanner/adder, which places a custom SBoM in the container image (already done earlier)
- Run the buildkit scanner with SBoM generation
For 2, it is straightforward. Taking one sample branch Makefile.eve, we already build with docker:
kernel-build-%: sbom Makefile.eve
@echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*"
docker buildx build \
--build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \
--build-arg="KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP)" \
--build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \
--platform $(PLATFORM) -t lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$* --load -f Dockerfile.$* .For this to work. we need to ensure we are running at least buildkit v0.11 (actual GA, not an -rc version), and add the flag --sbom=true to the image build.
That should do it. Once it is in place, you can check that it is there, see the blog post