Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Package Metadata ELF notes by including melange generated gcc specs for C, C++, Rust, Go. #39152

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Implement Package Metadata ELF notes by including melange generated gcc specs for C, C++, Rust, Go. #39152

wants to merge 1 commit into from
+10 −3

Conversation

xnox
Copy link
Member

@xnox xnox commented Jan 9, 2025
edited
Loading

Cannot land this PR in one go, thus split openssf-compiler-options (first commit) into separate PR to land first:

  • openssf-compiler-options: include melange spec files #39242

  • openssf-compiler-options: include melange spec files
    If exist, include melange generated spec file from workspace.
    No errors produced if the melange generated spec file is missing.

    Potentially worth exploring to also always load $HOME/.gcc.spec, which
    may make it easier to customize gcc spec files on per-package basis.

  • Use new spec file with optional include
    As an e2e test for three packages (written in C/Go/Rust). This enables
    using the future spec file with melange generated spec file include.

    When these land in images, and SBOM/Vulnerability/Console all look
    good we can roll this out by default.

NB! This PR needs melange that generates the dynamic gcc spec file which is being optionally included.

Once this lands for three packages in question, images are tested, and any bugs/issues resolved, we can remove the opt-in, and make the ELF notes the default.

@xnox xnox changed the title ossf package notes Implement Package Metadata ELF notes by including melange generated gcc specs for C, C++, Rust, Go. Jan 9, 2025
@xnox xnox force-pushed the ossf-package-notes branch from 0199aff to fad19ce Compare January 9, 2025 09:34
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Jan 9, 2025
@octo-sts Octo STS

This comment was marked as outdated.

Sign in to view
@octo-sts Octo STS

This comment was marked as outdated.

Sign in to view
@xnox xnox mentioned this pull request Jan 9, 2025
Merged
@xnox

This comment was marked as resolved.

Sign in to view
@xnox xnox marked this pull request as draft January 10, 2025 11:38
@xnox xnox mentioned this pull request Jan 10, 2025
Merged
xnox added a commit that referenced this pull request Jan 16, 2025
@xnox
openssf-compiler-options: include melange spec files (#39242)
80f71a7 
This is part 1 / pre-requisite to land:
- #39152

If exist, include melange generated spec file from workspace.
No errors produced if the melange generated spec file is missing.

Potentially worth exploring to also always load $HOME/.gcc.spec, which
may make it easier to customize gcc spec files on per-package basis.
@xnox xnox force-pushed the ossf-package-notes branch 2 times, most recently from ee36bce to 3bad54d Compare January 23, 2025 01:33
@xnox
Use new spec file with optional include
3880c2c 
As an e2e test for three packages (written in C/Go/Rust). This enables
using the future spec file with melange generated spec file include.

When these land in images, and SBOM/Vulnerability/Console all look
good we can roll this out by default.
@xnox xnox force-pushed the ossf-package-notes branch from 3bad54d to 3880c2c Compare January 23, 2025 01:35
@xnox xnox added the approved-to-run A repo member has approved this external contribution label Jan 23, 2025
@xnox xnox marked this pull request as ready for review January 23, 2025 02:37
@xnox
Copy link
Member Author

xnox commented Jan 23, 2025
edited
Loading

This now builds with elf notes; it will affect gitlab and cilium images.

$ readelf --notes *

File: gops

Displaying notes found in: .note.ABI-tag
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 4.9.0

Displaying notes found in: .note.package
  Owner                Data size 	Description
  FDO                  0x0000005c	FDO_PACKAGING_METADATA
    Packaging Metadata: {"type":"apk","os":"wolfi","name":"gops","version":"0.3.28-r15","architecture":"aarch64"}

Displaying notes found in: .note.go.buildid
  Owner                Data size 	Description
  Go                   0x00000053	GO BUILDID
   description data: 71 6b 30 50 7a 4f 5a 53 53 4e 78 4a 58 49 6f 62 49 7a 75 67 2f 76 4e 36 70 74 56 39 4e 31 70 67 2d 76 71 48 44 4f 78 70 45 2f 65 68 50 47 67 47 4b 75 63 62 37 4b 46 5a 59 52 57 4e 78 53 2f 6a 4d 61 43 35 55 4d 45 77 46 6c 37 69 63 70 6c 63 6f 70 77 

File: rust-audit-info

Displaying notes found in: .note.gnu.property
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 ISA needed: x86-64-baseline, x86-64-v2

Displaying notes found in: .note.ABI-tag
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 4.9.0

Displaying notes found in: .note.package
  Owner                Data size 	Description
  FDO                  0x00000064	FDO_PACKAGING_METADATA
    Packaging Metadata: {"type":"apk","os":"wolfi","name":"rust-audit-info","version":"0.5.4-r1","architecture":"x86_64"}

File: scanelf

Displaying notes found in: .note.gnu.property
  Owner                Data size 	Description
  GNU                  0x00000040	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
	x86 ISA needed: x86-64-baseline, x86-64-v2
	x86 feature used: x86, XMM
	x86 ISA used: x86-64-baseline

Displaying notes found in: .note.ABI-tag
  Owner                Data size 	Description
  GNU                  0x00000010	NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 4.9.0

Displaying notes found in: .note.package
  Owner                Data size 	Description
  FDO                  0x0000005c	FDO_PACKAGING_METADATA
    Packaging Metadata: {"type":"apk","os":"wolfi","name":"pax-utils","version":"1.3.8-r2","architecture":"x86_64"}

@xnox xnox requested a review from dannf January 23, 2025 02:39
@xnox xnox marked this pull request as draft January 23, 2025 02:45
@xnox
Copy link
Member Author

xnox commented Jan 23, 2025

and boom

$ wolfictl scan scanelf-1.3.8-r2.apk
🔎 Scanning "scanelf-1.3.8-r2.apk"
2025/01/23 02:43:49 ERRO failed to scan "scanelf-1.3.8-r2.apk": failed to scan APK: expected exactly one APK package, found 2

@xnox
Copy link
Member Author

xnox commented Jan 23, 2025
edited
Loading

Blocked on:

@xnox xnox added blocked indicates there are blocking issues that need to be addressed before progress can be made eng:containers and removed eng:containers labels Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dannf dannf Awaiting requested review from dannf

At least 1 approving review is required to merge this pull request.

Assignees

@luhring luhring

Labels
approved-to-run A repo member has approved this external contribution bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. blocked indicates there are blocking issues that need to be addressed before progress can be made
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xnox @luhring