(feat): Generate SBOM for invocation image + bundle #2930

schristoff · 2023-09-27T16:32:01Z

Being able to offer generating an SBOM for the invocation image and bundle would be a great step in our security focus.
Talking to Syft on their Slack, they pointed us to this example for ingesting Syft as a Go lib.

Ideally, when users run porter publish command we would take a sbom (bool) flag. If true, then within pkg/porter/publish we would call a separate pkg/porter/publish/sbom.go that would do the generation required. We could separate out this feature into it's own package, or keep it within publish. The porter package is already kinda chunky, so maybe best to try and keep all the imports needed for this feature separate.

Note: The linked code generates a Syft SBOM, but we need an SPDX SBOM, so we would need to incorporate the use of formats into this code.

The text was updated successfully, but these errors were encountered:

schristoff added the suggestion Idea for maintainers to consider. Do not take this issue until triaged. label Sep 27, 2023

schristoff self-assigned this Sep 27, 2023

schristoff added this to Porter Sep 27, 2023

schristoff moved this to 🏗 In progress in Porter Sep 27, 2023

schristoff mentioned this issue Dec 5, 2023

[Draft] SBOM gen first pass #2954

Draft

schristoff added this to v1.1.0 (June 2024) Apr 4, 2024

schristoff moved this to In Progress in v1.1.0 (June 2024) Apr 4, 2024

schristoff removed this from v1.1.0 (June 2024) Jul 11, 2024

schristoff removed this from Porter Jul 11, 2024

schristoff added this to Porter v1.2.0 (November 2024) Jul 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(feat): Generate SBOM for invocation image + bundle #2930

(feat): Generate SBOM for invocation image + bundle #2930

schristoff commented Sep 27, 2023

(feat): Generate SBOM for invocation image + bundle #2930

(feat): Generate SBOM for invocation image + bundle #2930

Comments

schristoff commented Sep 27, 2023