Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOMs for JS components #649

Closed
toddbaert opened this issue Nov 1, 2023 · 5 comments · Fixed by #672
Closed

Generate SBOMs for JS components #649

toddbaert opened this issue Nov 1, 2023 · 5 comments · Fixed by #672
Assignees
@lukas-reining
Labels
good first issue Good for newcomers help wanted Extra attention is needed security security related bugs/tasks

Comments

@toddbaert
Copy link
Member

toddbaert commented Nov 1, 2023
edited
Loading

We have SBOMs currently for Java and Go. We could use them here as well. I recommend this utility: https://github.com/marketplace/actions/cyclonedx-node-js-generate-sbom (we're using the clyclonedx format elsewhere and it's popular).

Definition of done:

  • SBOMs generated and attached to release artifact in GH, or otherwise made publicly available (for every release)
  • runtime dependencies only included
  • only includes dependencies of module in question (not of repo)
@toddbaert toddbaert mentioned this issue Nov 1, 2023
Open
@toddbaert toddbaert added good first issue Good for newcomers help wanted Extra attention is needed security security related bugs/tasks labels Nov 1, 2023
@lukas-reining
Copy link
Member

If someone else likes, this person can take it.
Otherwise I would do it 🙂

@lukas-reining
Copy link
Member

lukas-reining commented Nov 6, 2023
edited
Loading

Just out of interest @toddbaert.
As OpenFeature is a CNCF project, wouldn't it make sense to use SPDX as format?
(Edit: Just saw that CNCF is "supporter" of CycloneDX regarding to the Cyclone page, thought that CNCF might prefer SPDX as it is a Linux Foundation Project)

If so we could just use npm sbom to generate it, which we could also use for CycloneDX.

@toddbaert
Copy link
Member Author

If someone else likes, this person can take it. Otherwise I would do it 🙂

Feel free!

Just out of interest @toddbaert. As OpenFeature is a CNCF project, wouldn't it make sense to use SPDX as format? (Edit: Just saw that CNCF is "supporter" of CycloneDX regarding to the Cyclone page, thought that CNCF might prefer SPDX as it is a Linux Foundation Project)

If so we could just use npm sbom to generate it, which we could also use for CycloneDX.

CycloneDX is a bit more minimalist and was specifically designed for SBOMs, whereas SPDX, is more general. We also use it in the Java SDK, so that's why I favor it, but I would be fine with SPDX as well.

As far as tooling, I think a github action is the easiest way since it will save you a bit of github yaml, but again I don't mind as long as it works!

Let me know if I should assign this to you.

@lukas-reining lukas-reining self-assigned this Nov 11, 2023
@lukas-reining
Copy link
Member

Okay, sounds good to me!
I assigned myself and will do this in the next days.

@toddbaert
Copy link
Member Author

toddbaert commented Nov 11, 2023
edited
Loading

Thanks! Whatever we do here we also can eventually do in the contribs. That will probably be a bit harder because it's a monorepo.

open-feature/js-sdk-contrib#629

@lukas-reining lukas-reining mentioned this issue Nov 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukas-reining lukas-reining

Labels
good first issue Good for newcomers help wanted Extra attention is needed security security related bugs/tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: generate SBOM and attach to release artifacts open-feature/js-sdk
2 participants
@toddbaert @lukas-reining