Software Supply Chain Security with Singularity Cloud Services

By Staff
- Container producers can use SBOMs to document the contents of their work, and leverage automation to address the security, licensing and operational concerns connected with the use of open source software.
- Consumers further down the supply chain can leverage SBOMs to gain insight into the software containers they rely on to proactively identify vulnerabilities and drive risk management processes.
- Both producers and consumers can ensure compliance with emerging software supply chain guidelines, for example the May 2021 Executive Order on Improving the Nation’s Cybersecurity.
$ cat alpine-sbom.def
bootstrap: docker
from: alpine:latest
%post
apk update
apk upgrade
apk add curl vim
The build request can then be either submitted through the Singularity command-line or using the SCS web interface at https://cloud.sylabs.io.
Submit the remote build request using Singularity command-line:
$ singularity build --remote alpine-sbom.sif alpine-sbom.def
INFO: Access Token Verified!
INFO: Token stored in ...
INFO: Remote "cloud.sylabs.io" now in use.
INFO: Starting build...
Getting image source signatures
Copying blob sha256:213ec9aee27d8be...
Copying config sha256:29f453b10b9d6...
Writing manifest to image destination
Storing signatures
2022/11/10 20:42:37 info unpack layer: sha256:213ec9aee...
INFO: Creating SIF file...
INFO: Build complete: /tmp/image-286563138
INFO: Performing post-build operations
INFO: Generating SBOM for /tmp/image-286563138
INFO: Adding SBOM to SIF
INFO: Calculating SIF image checksum
INFO: Uploading image to library...
WARNING: Skipping container verification
INFO: Uploading 2801462 bytes
INFO: Image uploaded successfully.
INFO: Build complete: alpine-sbom.sif
$ singularity sif list alpine-sbom.sif
---------------------------------------------------------------------
ID |GROUP |LINK |SIF POSITION (start-end) |TYPE
---------------------------------------------------------------------
1 |1 |NONE |32176-32215 |Def.FILE
2 |1 |NONE |32215-34126 |JSON.Generic
3 |1 |NONE |34126-34221 |JSON.Generic
4 |1 |NONE |36864-2764800 |FS (Squashfs/*Syste...
5 |1 |NONE |2764800-2801462 |SBOM
- Are there any known vulnerabilities in the image?
- If there are known vulnerabilities, how severe are they?
- What actions should I take (if any) to improve the security of my image?
grype
is the perfect tool for directly scanning SIF images, here is an example on how to do that:$ singularity sif dump 5 alpine-sbom.sif | grype
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
vim 8.2.5000-r0 apk CVE-2022-2816 High
vim 8.2.5000-r0 apk CVE-2022-2980 Medium
vim 8.2.5000-r0 apk CVE-2022-2522 High
vim 8.2.5000-r0 apk CVE-2022-2862 High
...
vim 8.2.5000-r0 apk CVE-2022-2000 High
vim 8.2.5000-r0 apk CVE-2022-2207 Critical
vim 8.2.5000-r0 apk CVE-2022-2819 High
vim 8.2.5000-r0 apk CVE-2022-2571 High
xxd 8.2.5000-r0 apk CVE-2022-2304 High
xxd 8.2.5000-r0 apk CVE-2022-2849 High
...
xxd 8.2.5000-r0 apk CVE-2022-3153 Medium
xxd 8.2.5000-r0 apk CVE-2022-3235 High
- Are there any known vulnerabilities in the image?
- Yes, there is at least one critical vulnerability.
- If there are known vulnerabilities, how severe are they?
- There are vulnerabilities on 2 packages classified in a range from medium to critical.
- What actions should I take (if any) to improve the security of my image?
- There are many options to choose from, it is more of a strategy answer rather than a technical one. Perhaps we don’t actually require the vulnerable component(s), and can simply remove them from our image. Perhaps we can update them to a patched version, or substitute with an alternative. Or perhaps, the risk is acceptable, given our use case.
Conclusion
The automatic inclusion of an SBOM within the Remote Build capabilities of Singularity Container Services helps researchers and developers build more secure HPC workflows. We’re excited to bring this functionality to Singularity Enterprise customers in the near future. With this new functionality, Sylabs continues to make progress towards making the deployment of performance intensive workloads simple, and more secure.Join Our Mailing List
Recent Posts
Related Posts
Upgrade CentOS 7 to Alma 8 While Keeping SingularityCE Updated
Overview With CentOS 7 reaching end of life on June 30th, 2024 and CentOS 8 already discontinued in favor of CentOS Stream, users of open source SingularityCE might find themselves in a situation where a migration to another open source operating system is necessary....
Introducing CDI Support to SingularityCE 4.0
With the ever increasing adoption of AI techniques in scientific research, as well as growing use of accelerators for traditional numerical workloads, easy access to GPUs and other devices in HPC environments is critical.The 4.0 release of the SingularityCE container...
Transforming Alzheimer’s Research with Singularity Containers: A Milestone in Scientific Reproducibility
Addressing The Grand Challenges of Our Time Through Singularity Container TechnologyAt Sylabs, our mission and vision aren't just statements on a wall, they're an ethos we embody daily. We're committed to facilitating cutting-edge research that seeks to address...