Add Corgid for new method of Inspector Integration

This binary does following:
- This converts application inventory on the host to Cyclone Dx sbom
- Send the Cyslone Dx sbom to the new telemetart API

Author: vyaghras

Dockerfile

@@ -2,12 +2,45 @@ FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
 
 RUN dnf install -y \
     'dnf-command(download)' \
-    cpio
+    cpio \
+    gcc \
+    pkg-config \
+    tar \
+    gzip \
+    cmake \
+    clang \
+    clang-devel
+
+# Install Rust toolchain
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Add musl targets for static compilation on both architectures
+RUN rustup target add x86_64-unknown-linux-musl aarch64-unknown-linux-musl
+
+# Install musl cross-compilation toolchain
+RUN curl -L https://musl.cc/x86_64-linux-musl-cross.tgz | tar -xz -C /opt && \
+    curl -L https://musl.cc/aarch64-linux-musl-cross.tgz | tar -xz -C /opt
+
+# Set up cross-compilation environment
+ENV CC_x86_64_unknown_linux_musl="/opt/x86_64-linux-musl-cross/bin/x86_64-linux-musl-gcc" \
+    CC_aarch64_unknown_linux_musl="/opt/aarch64-linux-musl-cross/bin/aarch64-linux-musl-gcc" \
+    CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER="/opt/x86_64-linux-musl-cross/bin/x86_64-linux-musl-gcc" \
+    CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER="/opt/aarch64-linux-musl-cross/bin/aarch64-linux-musl-gcc" \
+    BINDGEN_EXTRA_CLANG_ARGS_aarch64_unknown_linux_musl="--sysroot=/opt/aarch64-linux-musl-cross/aarch64-linux-musl" \
+    BINDGEN_EXTRA_CLANG_ARGS_x86_64_unknown_linux_musl="--sysroot=/opt/x86_64-linux-musl-cross/x86_64-linux-musl"
 
 WORKDIR /root/build/util-linux
 RUN dnf download util-linux && \
     rpm2cpio util-linux-*.rpm | cpio -idmv
 
+# Build corgid binary for both architectures
+WORKDIR /root/build
+COPY ./sources/corgid ./corgid/
+WORKDIR /root/build/corgid
+RUN cargo build --release --target x86_64-unknown-linux-musl && \
+    cargo build --release --target aarch64-unknown-linux-musl
+
 FROM public.ecr.aws/amazonlinux/amazonlinux:2023
 
 # IMAGE_VERSION is the assigned version from input for this image.
@@ -62,6 +95,18 @@ COPY --from=builder /root/build/util-linux/usr/share/licenses/util-linux/COPYING
                     /usr/share/licenses/util-linux/
 RUN ln -s /opt/util-linux/bin/* /usr/bin
 
+# Copy corgid binary for the target architecture
+COPY --from=builder /root/build/corgid/target/x86_64-unknown-linux-musl/release/corgid /tmp/corgid-x86_64
+COPY --from=builder /root/build/corgid/target/aarch64-unknown-linux-musl/release/corgid /tmp/corgid-aarch64
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "x86_64" ]; then \
+        cp /tmp/corgid-x86_64 /usr/sbin/corgid; \
+    elif [ "$ARCH" = "aarch64" ]; then \
+        cp /tmp/corgid-aarch64 /usr/sbin/corgid; \
+    fi && \
+    chmod +x /usr/sbin/corgid && \
+    rm -f /tmp/corgid-*
+
 # Validate amazon-ssm-agent binary
 RUN /usr/bin/amazon-ssm-agent -version
 # Validate lscpu binary

README.md

@@ -38,3 +38,42 @@ For example:
 # ex: echo '{"ssm":{"activation-id":"foo","activation-code":"bar","region":"us-west-2"}}' | base64
 user-data = "eyJzc20iOnsiYWN0aXZhdGlvbi1pZCI6ImZvbyIsImFjdGl2YXRpb24tY29kZSI6ImJhciIsInJlZ2lvbiI6InVzLXdlc3QtMiJ9fQo="
 ```
+
+## Inspector SBOM Upload (corgid)
+
+This container includes `corgid`, a binary that collects the Bottlerocket package inventory, converts it to a [CycloneDX](https://cyclonedx.org/) SBOM, and sends it to the Amazon Inspector API for vulnerability scanning. It runs automatically in the background when the container starts.
+
+### Disabling corgid
+
+To disable Inspector SBOM upload, set `inspector-sbom-upload` to `"false"` in the control container's user data:
+
+```json
+{
+  "inspector": {
+    "upload-sbom": "false"
+  }
+}
+```
+
+Base64-encode the JSON and set it in your instance user data:
+
+```toml
+[settings.host-containers.control]
+# echo '{"inspector": {"upload-sbom": "false"}}' | base64
+user-data = "eyJpbnNwZWN0b3IiOiB7InVwbG9hZC1zYm9tIjogImZhbHNlIn19"
+```
+
+This can be combined with SSM hybrid activation settings in the same JSON object:
+
+```json
+{
+  "ssm": {
+    "activation-id": "foo",
+    "activation-code": "bar",
+    "region": "us-west-2"
+  },
+  "inspector": {
+    "upload-sbom": "false"
+  }
+}
+```

sources/corgid/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "corgid"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]]
+name = "corgid"
+path = "src/main.rs"
+
+[dependencies]
+reqwest = { version = "0.12", default-features = false, features = ["blocking", "rustls-tls"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+sha2 = "0.10"
+hex = "0.4"
+hmac = "0.12"
+flate2 = "1"
+chrono = { version = "0.4", features = ["now"] }
+uuid = { version = "1", features = ["v4"] }
+log = "0.4"
+simplelog = "0.12"
+snafu = "0.8"
+base64 = "0.22"
+rustls = { version = "0.23", features = ["aws-lc-rs"] }

sources/corgid/src/error.rs

@@ -0,0 +1,40 @@
+use snafu::Snafu;
+
+#[derive(Debug, Snafu)]
+#[snafu(visibility(pub))]
+pub enum Error {
+    #[snafu(display("Failed to read application inventory file: {source}"))]
+    ReadInventory { source: std::io::Error },
+
+    #[snafu(display("Failed to parse application inventory file: {source}"))]
+    ParseInventory { source: serde_json::Error },
+
+    #[snafu(display("Failed to serialize SBOM: {source}"))]
+    SerializeSbom { source: serde_json::Error },
+
+    #[snafu(display("Failed to fetch IMDS credentials: {source}"))]
+    ImdsCredentials { source: reqwest::Error },
+
+    #[snafu(display("Failed to parse IMDS credentials: {source}"))]
+    ParseCredentials { source: serde_json::Error },
+
+    #[snafu(display("HTTP request failed: {source}"))]
+    HttpRequest { source: reqwest::Error },
+
+    #[snafu(display("Inspector API error {status}: {body}"))]
+    Api { status: u16, body: String },
+
+    #[snafu(display("Failed to parse API response: {source}"))]
+    ParseResponse { source: serde_json::Error },
+
+    #[snafu(display("Failed to compress SBOM: {source}"))]
+    Compress { source: std::io::Error },
+
+    #[snafu(display("No IAM role found in IMDS"))]
+    NoIamRole,
+
+    #[snafu(display("No instance ID found in IMDS"))]
+    NoInstanceId,
+}
+
+pub type Result<T> = std::result::Result<T, Error>;

sources/corgid/src/imds.rs

@@ -0,0 +1,56 @@
+//! EC2 Instance Metadata Service (IMDS) client.
+//!
+//! Retrieves IAM credentials from IMDS using IMDSv2 session tokens.
+
+use crate::error::{self, Result};
+use reqwest::blocking::Client;
+use serde::Deserialize;
+use snafu::{OptionExt, ResultExt};
+
+const IMDS_BASE: &str = "http://169.254.169.254";
+const IMDS_TOKEN_PATH: &str = "/latest/api/token";
+const IMDS_ROLE_PATH: &str = "/latest/meta-data/iam/security-credentials/";
+
+/// IAM credentials retrieved from IMDS for signing API requests.
+#[derive(Deserialize)]
+pub struct Credentials {
+    #[serde(rename = "AccessKeyId")]
+    pub access_key_id: String,
+    #[serde(rename = "SecretAccessKey")]
+    pub secret_access_key: String,
+    #[serde(rename = "Token")]
+    pub token: String,
+}
+
+/// Retrieves IAM credentials from the EC2 Instance Metadata Service.
+///
+/// Uses IMDSv2 with a session token for security.
+pub fn get_credentials(client: &Client) -> Result<Credentials> {
+    let token = client
+        .put(format!("{}{}", IMDS_BASE, IMDS_TOKEN_PATH))
+        .header("X-aws-ec2-metadata-token-ttl-seconds", "21600")
+        .send()
+        .context(error::ImdsCredentialsSnafu)?
+        .text()
+        .context(error::ImdsCredentialsSnafu)?;
+
+    let roles = client
+        .get(format!("{}{}", IMDS_BASE, IMDS_ROLE_PATH))
+        .header("X-aws-ec2-metadata-token", &token)
+        .send()
+        .context(error::ImdsCredentialsSnafu)?
+        .text()
+        .context(error::ImdsCredentialsSnafu)?;
+
+    let role = roles.lines().next().context(error::NoIamRoleSnafu)?;
+
+    let creds_json = client
+        .get(format!("{}{}{}", IMDS_BASE, IMDS_ROLE_PATH, role))
+        .header("X-aws-ec2-metadata-token", &token)
+        .send()
+        .context(error::ImdsCredentialsSnafu)?
+        .text()
+        .context(error::ImdsCredentialsSnafu)?;
+
+    serde_json::from_str(&creds_json).context(error::ParseCredentialsSnafu)
+}