Provide Global Mechanism to Disable SBOM Generation #311
Labels
Comments
dmikusa
added
type:enhancement
|
See paketo-buildpacks/maven#334 for some rationale for implementing this. |
I don't think that the linked issue asks for disabling SBoM globally. The maven cyclonedx plug-in will only be able to provide insights into the the bom of the app. This cannot replace e.g. the libjvm buildpacks to provide the jvm sbom information. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Enhancement
Implement RFC 0044 by checking for BP_DISABLE_SBOM as one of the first things in build.go and, if set, return early.
Possible Solution
This needs support in both libpak and libbs. Any point where we generate SBOM information or run
syft(or other tools), needs to be aware of the opt-out and should skip generating SBOM information.In addition, the container needs to be flagged as having opted out of SBOM generation so it's clear this was due to a user request.
Motivation
At the moment, this remains unclear. If you find this issue and it is of interest to you. Please post a comment and include some details about why you'd like this setting, your use case and how it impacts you. If we get enough user interest, we can implement this feature.
The text was updated successfully, but these errors were encountered: