bug: chalked docker builds are not running syft

[indecisivedragon]

Description

Following the instructions in the "software security supply chain compliance" how-to guide, ran into an issue where the chalked docker builds were not including the sbom data.

Impact

All chalked docker builds that we want to have sboms embedded will not work at all.

Steps to Reproduce

1. ensure you have a chalk binary with the default config loaded
2. run ./chalk load ./configs/compliance_docker.c4m and ./chalk load ./configs/embed_sboms.c4m
3. check that sboms are enabled by running chalk on some binary, ex: a copy of ls
   a) cp /bin/ls ./ls-test
   b) ./chalk insert ls-test
   c) ./chalk extract ls-test, then checking that the output written to the default ~/.local/chalk/chalk.log has the following:

[
  {
    "_OPERATION": "extract",
    "_TIMESTAMP": 1698452232045,
    "_DATETIME": "2023-10-27T20:17:12.045-04:00",
    "_CHALKS": [
      {
        "CHALK_ID": "CHJKGD-K569-K30D-SR60R3",
        "CHALK_VERSION": "0.2.1",
        "TIMESTAMP_WHEN_CHALKED": 1698452223916,
        "DATETIME_WHEN_CHALKED": "2023-10-27T20:17:02.953-04:00",
        "ARTIFACT_TYPE": "ELF",
        "BRANCH": "main",
        "CHALK_RAND": "fac91965694c14bd",
        "CODE_OWNERS": "* @viega\n",
        "COMMIT_ID": "1dd895d780670efd4008c69f60eb7d175393343b",
        "HASH": "de86e2f078008eb9d6882deac520fd6826e545b930fb9daa409eb105e5f8f97e",
        "INJECTOR_COMMIT_ID": "1dd895d780670efd4008c69f60eb7d175393343b",
        "ORIGIN_URI": "https://github.com/crashappsec/chalk.git",
        "PLATFORM_WHEN_CHALKED": "GNU/Linux x86_64",
        "SBOM": {
          "syft": {
            "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
            "bomFormat": "CycloneDX",
            "specVersion": "1.4",
            "serialNumber": "urn:uuid:8c7d82cf-e4bb-4483-ad54-7909f6c1dd56",
            "version": 1,
            "metadata": {
              "timestamp": "2023-10-27T20:17:03-04:00",
              "tools": [
                { "vendor": "anchore", "name": "syft", "version": "0.94.0" }
              ],
              "component": {
                "bom-ref": "8cf26c10676ee39d",
                "type": "file",
                "name": "ls-test",
                "version": "sha256:sha256:c96756d855f432872103f6f68aef4fe44ec5c8cb2eab9940f4b7adb10646b90a"
              }
            }
          }
        },
        "METADATA_ID": "37YBXV-3JN1-XJBC-3NY2R3",
        "_VALIDATED_METADATA": true,
        "_OP_ARTIFACT_PATH": "/home/liming/workspace/chalk/ls-test",
        "_OP_ARTIFACT_TYPE": "ELF",
        "_CURRENT_HASH": "18ab5e71b56de6d7397d5575374d02f418c31958bd644e36c154dc02ec44461e"
      }
    ],
    "_ACTION_ID": "3c6d22ffd5d8f945",
    "_ARGV": ["ls-test"],
    "_ENV": {
      "PWD": "/home/liming/workspace/chalk",
      "XDG_SESSION_TYPE": "wayland",
      "USER": "liming",
      "PATH": "/home/liming/go/bin:/home/liming/.local/bin:/home/liming/go/bin:/home/liming/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin:/usr/local/go/bin:/usr/local/go/bin"
    },
    "_OP_ARGV": ["/home/liming/workspace/chalk/chalk", "extract", "ls-test"],
    "_OP_CHALKER_COMMIT_ID": "1dd895d780670efd4008c69f60eb7d175393343b",
    "_OP_CHALKER_VERSION": "0.2.1",
    "_OP_CMD_FLAGS": [],
    "_OP_EXE_NAME": "chalk",
    "_OP_EXE_PATH": "/home/liming/workspace/chalk",
    "_OP_HOSTINFO": "#35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2",
    "_OP_HOSTNAME": "liming-virtual-machine",
    "_OP_NODENAME": "liming-virtual-machine",
    "_OP_PLATFORM": "GNU/Linux x86_64",
    "_OP_CHALK_COUNT": 1,
    "_OP_UNMARKED_COUNT": 0
  }
]

5. use chalk to build a docker container, ex: ./chalk docker build -t xxx -f ./tests/data/dockerfiles/valid/sample_1/Docke rfile ./tests/data/dockerfiles/valid/sample_1
6. inspect the container with ./chalk extract xxx and observe no sbom in the log file:

[
  {
    "_OPERATION": "extract",
    "_TIMESTAMP": 1698452420419,
    "_DATETIME": "2023-10-27T20:20:20.419-04:00",
    "_CHALKS": [
      {
        "_VALIDATED_METADATA": true,
        "_OP_ARTIFACT_TYPE": "Docker Image",
        "_IMAGE_ID": "d697e35fafa8bb1c9107efafd01964e2dd860a6147564f82482197f760197783",
        "_REPO_TAGS": ["xxx:latest"],
        "_IMAGE_COMMENT": "buildkit.dockerfile.v0",
        "_IMAGE_CREATION_DATETIME": "2023-10-27T20:16:36.228130247-04:00",
        "_IMAGE_ARCHITECTURE": "amd64",
        "_IMAGE_SIZE": 7335595,
        "_IMAGE_ROOT_FS_TYPE": "layers",
        "_IMAGE_ENV": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "_IMAGE_CMD": ["/helloworld.sh"],
        "_IMAGE_LABELS": {
          "run.crashoverride.branch": "main",
          "run.crashoverride.commit-id": "1dd895d780670efd4008c69f60eb7d175393343b",
          "run.crashoverride.origin-uri": "https://github.com/crashappsec/chalk.git"
        },
        "_IMAGE_VIRTUAL_SIZE": 7335595,
        "_IMAGE_LAST_TAG_TIME": "2023-10-27T20:16:36.236176648-04:00",
        "_IMAGE_STORAGE_METADATA": {
          "Data": {
            "LowerDir": "/var/lib/docker/overlay2/ly5pzeb85bk8lluzkek1iuq4t/diff:/var/lib/docker/overlay2/f8ae51582601db6a04d5509324d1b1a249d4d7583de0671c2836548cb791574b/diff",
            "MergedDir": "/var/lib/docker/overlay2/oo4b5s3aassfnd1qmzaaihee6/merged",
            "UpperDir": "/var/lib/docker/overlay2/oo4b5s3aassfnd1qmzaaihee6/diff",
            "WorkDir": "/var/lib/docker/overlay2/oo4b5s3aassfnd1qmzaaihee6/work"
          },
          "Name": "overlay2"
        },
        "_CURRENT_HASH": "d697e35fafa8bb1c9107efafd01964e2dd860a6147564f82482197f760197783",
        "CHALK_ID": "ZBNPSY-ZNNV-TM1Y-X28RPT",
        "CHALK_VERSION": "0.2.1",
        "DATETIME_WHEN_CHALKED": "2023-10-27T20:16:35.340-04:00",
        "METADATA_ID": "QVSEBP-WKYD-YZD4-WKMERV"
      }
    ],
    "_ACTION_ID": "7c5357477dab41d6",
    "_ARGV": ["xxx"],
    "_ENV": {
      "PWD": "/home/liming/workspace/chalk",
      "XDG_SESSION_TYPE": "wayland",
      "USER": "liming",
      "PATH": "/home/liming/go/bin:/home/liming/.local/bin:/home/liming/go/bin:/home/liming/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin:/usr/local/go/bin:/usr/local/go/bin"
    },
    "_OP_ARGV": ["/home/liming/workspace/chalk/chalk", "extract", "xxx"],
    "_OP_CHALKER_COMMIT_ID": "1dd895d780670efd4008c69f60eb7d175393343b",
    "_OP_CHALKER_VERSION": "0.2.1",
    "_OP_CMD_FLAGS": [],
    "_OP_EXE_NAME": "chalk",
    "_OP_EXE_PATH": "/home/liming/workspace/chalk",
    "_OP_HOSTINFO": "#35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2",
    "_OP_HOSTNAME": "liming-virtual-machine",
    "_OP_NODENAME": "liming-virtual-machine",
    "_OP_PLATFORM": "GNU/Linux x86_64",
    "_OP_CHALK_COUNT": 1,
    "_OP_UNMARKED_COUNT": 0
  }
]

Alternatively, you can run the container and manually check the chalk.json inside, which will also not have it.

Other Information

Digging into the chalk code, it looks like template toolBase in src/plugins/externalTools.nim has a loop over chalkConfig.tools. For chalking binaries, this chalkConfig.tools contains the syft tool, however when chalking docker containers, this chalkConfig.tools is always empty. This might be a bug in the underlying con4m library.