-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CycloneDX SBOM support #61
Conversation
return fmt.Sprintf("pkg:apk/%s/%s@%s", ns, pkg.Name, pkg.Version) | ||
} | ||
|
||
func (bc *Context) GenerateSBOM() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case it is useful, @imjasonh rolled the ko
CycloneDX stuff here if you want to compare or copy useful bits: https://github.com/google/ko/pull/587/files#diff-ad63c642b90be2eed057117c368556d45c8c89a4c7310c948b80166fed73667aR41
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whether or not you roll your own, I think it was a good idea to have e2e validation of the SBOMs in CI: https://github.com/google/ko/blob/main/.github/workflows/sbom.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also: how do folks feel about generating both/all formats by default? That's something I'd like to do for ko, and apko being onboard would help motivate me. Seems weird to prefer one over the other(s)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be alright with generating the JSON-LD version of SPDX, but not the Turtle version presently generated by ko
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I also think that shouldn't block this MR)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Absolutely, we should do both. I was holding on commenting on this one to talk on Monday (@kaniini happy to chat on the weekend too if you want). I think we need to align some things to work together, buts lets chat first!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It can wait until Monday, I have some reasons for being opinionated here on SBOMs that I can outline outside this MR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After a discussion with @puerco, the plan is for him to take over this branch and add in the SPDX support and so on :)
c08e720
to
81a06b6
Compare
…org/alpine/go dependencies
the repository package from alpine already does it, but closing it twice seems harmless
In order to create an sbom interface the cyclone DX types are now out in their own package. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Add the SBOM object and its initial empty implementation Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commits modifies the SBOM object to make it capable of reading /etc/os-release files. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit refactors the package reading code into a method in the sbom object Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
OK, I've reworked the sbom code to its own package. It now supports pluggable sbom generators which can be turned on and off from the options. The cyclonedx code is the first one of these 🥳 I also added tests for most of the functions but I still have to ensure the output looks as expected, also I have to actually test it but the main idea should be ready for review :) Lets sync tomorrow to talk about some next steps here (like, where should the SBOM go? matching the cyclonedx and spdx structure, etc). |
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Options are now on its own package to share with generators Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
The SBOM object now outputs snoms using a generate function that uses its generators to output in the specified formats Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
The build context will now generate the sboms using the new sbom package Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
I went ahead and merged this, we can talk more about it later today for the SPDX support :) |
Add support for CycloneDX SBOM by inspecting the APK database. APKv2 is only supported for now.
Closes: #14.