CycloneDX SBOM support #61
Conversation
| return fmt.Sprintf("pkg:apk/%s/%s@%s", ns, pkg.Name, pkg.Version) | ||
| } | ||
|
|
||
| func (bc *Context) GenerateSBOM() error { |
There was a problem hiding this comment.
In case it is useful, @imjasonh rolled the ko CycloneDX stuff here if you want to compare or copy useful bits: https://github.com/google/ko/pull/587/files#diff-ad63c642b90be2eed057117c368556d45c8c89a4c7310c948b80166fed73667aR41
There was a problem hiding this comment.
Whether or not you roll your own, I think it was a good idea to have e2e validation of the SBOMs in CI: https://github.com/google/ko/blob/main/.github/workflows/sbom.yaml
There was a problem hiding this comment.
Also: how do folks feel about generating both/all formats by default? That's something I'd like to do for ko, and apko being onboard would help motivate me. Seems weird to prefer one over the other(s)
There was a problem hiding this comment.
I would be alright with generating the JSON-LD version of SPDX, but not the Turtle version presently generated by ko.
There was a problem hiding this comment.
(I also think that shouldn't block this MR)
There was a problem hiding this comment.
Absolutely, we should do both. I was holding on commenting on this one to talk on Monday (@kaniini happy to chat on the weekend too if you want). I think we need to align some things to work together, buts lets chat first!
There was a problem hiding this comment.
It can wait until Monday, I have some reasons for being opinionated here on SBOMs that I can outline outside this MR.
There was a problem hiding this comment.
After a discussion with @puerco, the plan is for him to take over this branch and add in the SPDX support and so on :)
puerco
force-pushed
the
feature/sbom
branch
2 times, most recently
from
c08e720
to
81a06b6
Compare
…org/alpine/go dependencies
the repository package from alpine already does it, but closing it twice seems harmless
In order to create an sbom interface the cyclone DX types are now out in their own package. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Add the SBOM object and its initial empty implementation Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commits modifies the SBOM object to make it capable of reading /etc/os-release files. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit refactors the package reading code into a method in the sbom object Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
OK, I've reworked the sbom code to its own package. It now supports pluggable sbom generators which can be turned on and off from the options. The cyclonedx code is the first one of these 🥳 I also added tests for most of the functions but I still have to ensure the output looks as expected, also I have to actually test it but the main idea should be ready for review :) Lets sync tomorrow to talk about some next steps here (like, where should the SBOM go? matching the cyclonedx and spdx structure, etc). |
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Options are now on its own package to share with generators Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
The SBOM object now outputs snoms using a generate function that uses its generators to output in the specified formats Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
The build context will now generate the sboms using the new sbom package Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
I went ahead and merged this, we can talk more about it later today for the SPDX support :) |
Add support for CycloneDX SBOM by inspecting the APK database. APKv2 is only supported for now.
Closes: #14.