Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate Software Bill of Materials (SBOM) / DEPENDENCIES File #102

Open
mhellmeier opened this issue Jul 22, 2024 · 0 comments
Open

Generate Software Bill of Materials (SBOM) / DEPENDENCIES File #102

mhellmeier opened this issue Jul 22, 2024 · 0 comments
Labels
feature New feature or request pipeline Build, Action, CI/CD etc.

Comments

@mhellmeier
Copy link
Member

🚀 Feature Request

Current Problem

There is no overview of the transitive closure of all dependencies used in the project. Thus, security problems or vulnerabilities of dependencies used are hard to check.

Proposed Solution

A SBOM helps to solve this problem. It should be generated and provided in the repository (for example, in a DEPENDENCIES file).
The SBOM generation should be integrated as a pipeline step (GitHub Action) that checks or updates the file on every pull request or commit on the main branch.

Additional Context

The Eclipse Foundation uses a Dash Tool to generate a DEPENDENCIES file that generates an SBOM and checks their licenses.
Also, other existing tools that generate or use SBOMs, like trivy, Microsoft SBOM Tool, or ort need to be checked.
@mhellmeier mhellmeier added feature New feature or request pipeline Build, Action, CI/CD etc. labels Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request pipeline Build, Action, CI/CD etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mhellmeier