diff --git a/SECURITY.md b/SECURITY.md index 2e1eb3a1e9..76fd9aaa9a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,6 +12,31 @@ The following versions of VictoriaMetrics receive regular security fixes: See [this page](https://victoriametrics.com/security/) for more details. +## Software Bill of Materials (SBOM) + +Every VictoriaMetrics container{{% available_from "#" %}} image published to +[Docker Hub](https://hub.docker.com/u/victoriametrics) +and [Quay.io](https://quay.io/organization/victoriametrics) +includes an [SPDX](https://spdx.dev/) SBOM attestation +generated automatically by BuildKit during +`docker buildx build`. + +To inspect the SBOM for an image: + +```sh +docker buildx imagetools inspect \ + docker.io/victoriametrics/victoria-metrics:latest \ + --format "{{ json .SBOM }}" +``` + +To scan an image using its SBOM attestation with +[Trivy](https://github.com/aquasecurity/trivy): + +```sh +trivy image --sbom-sources oci \ + docker.io/victoriametrics/victoria-metrics:latest +``` + ## Reporting a Vulnerability Please report any security issues to diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile index 1491541dfb..d466b53e13 100644 --- a/deployment/docker/Makefile +++ b/deployment/docker/Makefile @@ -100,6 +100,7 @@ publish-via-docker: ) \ -o type=image \ --provenance=false \ + --sbom=true \ -f app/$(APP_NAME)/multiarch/Dockerfile \ --push \ bin @@ -120,6 +121,7 @@ publish-via-docker: ) \ -o type=image \ --provenance=false \ + --sbom=true \ -f app/$(APP_NAME)/multiarch/Dockerfile \ --push \ bin diff --git a/docs/victoriametrics/Release-Guide.md b/docs/victoriametrics/Release-Guide.md index 6d9d6c40e9..bed065fa21 100644 --- a/docs/victoriametrics/Release-Guide.md +++ b/docs/victoriametrics/Release-Guide.md @@ -134,6 +134,14 @@ and the candidate is deployed to the sandbox environment. * linux/ppc64le * linux/386 This step can be run manually with the command `make publish` from the needed git tag. + * c) [SPDX](https://spdx.dev/) SBOM attestations are + generated automatically by BuildKit during + `docker buildx build` (`--sbom=true`). SBOMs can + be inspected with + `docker buildx imagetools inspect --format "{{ json .SBOM }}"` + or consumed by vulnerability scanners such as + [Trivy](https://github.com/aquasecurity/trivy) via + `trivy image --sbom-sources oci `. 1. Run `TAG=v1.xx.y make github-create-release github-upload-assets`. This command performs the following tasks: @@ -166,7 +174,7 @@ Issues included in the release are closed, with the comment. 1. Review the performance of the release candidate in the sandbox environment. If any issues are found, they must be addressed, and the release process restarted from [Step 1](#step-1) with an incremented release candidate version. -1. Run `TAG=v1.xx.y EXTRA_DOCKER_TAG_SUFFIX=-rc1 make publish-final-images`. This command publishes the final release images from release candidate image for given `EXTRA_DOCKER_TAG_SUFFIX` and updates `latest` Docker image tag for the given `TAG`. +1. Run `TAG=v1.xx.y EXTRA_DOCKER_TAG_SUFFIX=-rc1 make publish-final-images`. This command publishes the final release images from release candidate image for given `EXTRA_DOCKER_TAG_SUFFIX` and updates `latest` Docker image tag for the given `TAG`. SBOM attestations are preserved from the RC images by `imagetools create`. This command must be run only for the latest officially published release. It must be skipped when publishing other releases such as [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-releases/) or some test releases. 1. Deploy the final images to the sandbox environment and perform a quick smoke test to verify basic functionality works. diff --git a/docs/victoriametrics/changelog/CHANGELOG.md b/docs/victoriametrics/changelog/CHANGELOG.md index c923b747d8..82bd488db7 100644 --- a/docs/victoriametrics/changelog/CHANGELOG.md +++ b/docs/victoriametrics/changelog/CHANGELOG.md @@ -43,6 +43,7 @@ It enables back `Discovered targets` debug UI by default. * FEATURE: [dashboards/alert-statistics](https://grafana.com/grafana/dashboards/24553): add `job` and `instance` filters to the `VictoriaMetrics - Alert statistics` dashboard. This allows users running multiple independent [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/) instances to filter and analyze alerts statistics per specific instance, making it easier to identify issues in a particular vmalert deployment. See [#10549](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10549). * FEATURE: [dashboards/alert-statistics](https://grafana.com/grafana/dashboards/24553): add a link to a specific alerting rule on the table of firing alerts. See [#10508](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10508). Thanks to @sias32 for the contribution. * FEATURE: [alerts](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/rules): use `$externalURL` instead of `localhost` in the alerting rules. This should improve usability of the rules if `$externalURL` is correctly configured, without need to update rules annotations. See [#10508](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10508). Thanks to @sias32 for the contribution. +* FEATURE: all VictoriaMetrics components: publish [SPDX](https://spdx.dev/) SBOM attestations for container images on `docker.io` and `quay.io`. See [SECURITY.md](https://docs.victoriametrics.com/victoriametrics/security/) and [#10474](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10474). Thanks to @smuda for the contribution. * BUGFIX: all VictoriaMetrics components: return gzip-compressed response instead of zstd-compressed response to the client if `Accept-Encoding` request header contains both `gzip` and `zstd`. This is needed because some clients and proxies improperly handle zstd-compressed responses. See [#10535](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10535). * BUGFIX: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) and `vmstorage` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): prevent panic `error parsing regexp: expression nests too deeply` triggered by large repetition ranges in regex, for example `{"__name__"=~"a{0,1000}"}`. See [VictoriaLogs#1112](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1112).