Add Corgid for new method of Inspector Integration

This binary does following:
- This converts application inventory on the host to Cyclone Dx sbom
- Send the Cyslone Dx sbom to the new telemetart API

Author: vyaghras

Dockerfile

@@ -1,3 +1,29 @@
+ARG SDK_IMAGE
+FROM ${SDK_IMAGE} as rust-builder
+
+ARG UNAME_ARCH
+USER root
+ENV CARGO_HOME=/src/.cargo
+
+# Add sources
+ADD ./sources /src/
+
+# Fetch dependencies
+RUN cargo fetch --locked --manifest-path /src/corgid/Cargo.toml
+
+# Set bindgen clang arguments for musl compilation
+ENV BINDGEN_EXTRA_CLANG_ARGS="--target=${UNAME_ARCH}-bottlerocket-linux-musl --sysroot=/${UNAME_ARCH}-bottlerocket-linux-musl/sys-root"
+
+# Build corgid statically linked with musl
+RUN cargo install --offline --locked --target ${UNAME_ARCH}-bottlerocket-linux-musl --path /src/corgid --root /output
+
+# Gather licenses of dependencies
+RUN /usr/libexec/tools/bottlerocket-license-scan \
+    --clarify /src/clarify.toml \
+    --spdx-data /usr/libexec/tools/spdx-data \
+    --out-dir /licenses \
+    cargo --offline --locked /src/corgid/Cargo.toml
+
 FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
 
 RUN dnf install -y \
@@ -62,6 +88,10 @@ COPY --from=builder /root/build/util-linux/usr/share/licenses/util-linux/COPYING
                     /usr/share/licenses/util-linux/
 RUN ln -s /opt/util-linux/bin/* /usr/bin
 
+# Copy corgid binary and licenses
+COPY --from=rust-builder /output/bin/corgid /usr/sbin/corgid
+COPY --from=rust-builder /licenses /usr/share/licenses/corgid
+
 # Validate amazon-ssm-agent binary
 RUN /usr/bin/amazon-ssm-agent -version
 # Validate lscpu binary

Makefile

@@ -1,3 +1,5 @@
+TOP := $(dir $(abspath $(firstword $(MAKEFILE_LIST))))
+
 # IMAGE_NAME is the full name of the container image being built.
 IMAGE_NAME ?= $(notdir $(shell pwd -P))$(IMAGE_ARCH_SUFFIX):$(IMAGE_VERSION)$(addprefix -,$(SHORT_SHA))
 # IMAGE_VERSION is the semver version that's tagged on the image.
@@ -19,11 +21,37 @@ ARCH ?= $(lastword $(subst :, ,$(filter $(UNAME_ARCH):%,x86_64:amd64 aarch64:arm
 # SSM_AGENT_VERSION is the SSM Agent's distributed RPM Version to install.
 SSM_AGENT_VERSION ?= 3.3.3883.0
 
-.PHONY: all build check check-ssm-agent download-ssm-agent update-ssm-agent
+# BOTTLEROCKET_SDK_VERSION is the SDK image used to build corgid.
+BOTTLEROCKET_SDK_VERSION ?= v0.73.0
+
+.PHONY: all build check check-ssm-agent check-licenses fetch download-ssm-agent update-ssm-agent
 
 # Run all build tasks for this container image.
 all: build check
 
+# Fetches crates from upstream
+fetch:
+	docker run --rm \
+		--user "$(shell id -u):$(shell id -g)" \
+		--security-opt label=disable \
+		--env CARGO_HOME="/src/.cargo" \
+		--volume "$(TOP)/sources:/src" \
+		--workdir "/src/" \
+		"public.ecr.aws/bottlerocket/bottlerocket-sdk:$(BOTTLEROCKET_SDK_VERSION)" \
+		bash -c "cargo fetch --locked --manifest-path /src/corgid/Cargo.toml"
+
+# Checks allowed/denied upstream licenses
+check-licenses: fetch
+	docker run --rm \
+		--network none \
+		--user "$(shell id -u):$(shell id -g)" \
+		--security-opt label=disable \
+		--env CARGO_HOME="/src/.cargo" \
+		--volume "$(TOP)/sources:/src" \
+		--workdir "/src/" \
+		"public.ecr.aws/bottlerocket/bottlerocket-sdk:$(BOTTLEROCKET_SDK_VERSION)" \
+		bash -c "cargo deny --all-features check --disable-fetch --manifest-path /src/corgid/Cargo.toml licenses"
+
 # Create a distribution container image tarball for release.
 dist: all
 	@mkdir -p $(dir $(DISTFILE))
@@ -35,6 +63,8 @@ build:
 		--tag $(IMAGE_NAME) \
 		--build-arg IMAGE_VERSION="$(IMAGE_VERSION)" \
 		--build-arg SSM_AGENT_VERSION="$(SSM_AGENT_VERSION)" \
+		--build-arg UNAME_ARCH="$(UNAME_ARCH)" \
+		--build-arg SDK_IMAGE="public.ecr.aws/bottlerocket/bottlerocket-sdk:$(BOTTLEROCKET_SDK_VERSION)" \
 		-f Dockerfile . >&2
 
 # Run checks against the container image.

README.md

@@ -38,3 +38,42 @@ For example:
 # ex: echo '{"ssm":{"activation-id":"foo","activation-code":"bar","region":"us-west-2"}}' | base64
 user-data = "eyJzc20iOnsiYWN0aXZhdGlvbi1pZCI6ImZvbyIsImFjdGl2YXRpb24tY29kZSI6ImJhciIsInJlZ2lvbiI6InVzLXdlc3QtMiJ9fQo="
 ```
+
+## Inspector SBOM Upload (corgid)
+
+This container includes `corgid`, a binary that collects the Bottlerocket package inventory, converts it to a [CycloneDX](https://cyclonedx.org/) SBOM, and sends it to the Amazon Inspector API for vulnerability scanning. It runs automatically in the background when the container starts.
+
+### Disabling corgid
+
+To disable Inspector SBOM upload, set `inspector-sbom-upload` to `"false"` in the control container's user data:
+
+```json
+{
+  "inspector": {
+    "upload-sbom": false
+  }
+}
+```
+
+Base64-encode the JSON and set it in your instance user data:
+
+```toml
+[settings.host-containers.control]
+# echo '{"inspector": {"upload-sbom": false}}' | base64
+user-data = "eyJpbnNwZWN0b3IiOiB7InVwbG9hZC1zYm9tIjogZmFsc2V9fQ=="
+```
+
+This can be combined with SSM hybrid activation settings in the same JSON object:
+
+```json
+{
+  "ssm": {
+    "activation-id": "foo",
+    "activation-code": "bar",
+    "region": "us-west-2"
+  },
+  "inspector": {
+    "upload-sbom": false
+  }
+}
+```