lifecycle icon indicating copy to clipboard operation
lifecycle copied to clipboard

Published 20 hours ago verified publisher icon buildpacks

[RFC #0095] Lifecycle should merge CycloneDX bom files

Open buildpack-bot opened this issue 4 years ago • 2 comments

This issue have been automatically created from pull request buildpacks/rfcs#166.

A/C

Given for example the following file tree:

/layers
  /config
    /sbom
      /launch
        /buildpack.id
          bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id (only) in the merged file
          /cache-true-launch-true
            bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id and io.buildpacks.bom.layer.name in the merged file
      /build
        /buildpack.id
          bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id (only) in the merged file
          /cache-true-launch-false
            bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id and io.buildpacks.bom.layer.name in the merged file

The lifecycle should create a merged launch bom containing bom entries from /layers/config/sbom/launch and similarly for build. See Slack inquiry on whether the merged bom should live at /layers/config/sbom/launch/bom.cdx.json or /layers/config/launch/sbom/bom.cdx.json.

Note that this is only applicable to cdx files, as spdx does not have readily available tooling.

buildpack-bot avatar Oct 04 '21 13:10 buildpack-bot

Related cycloneDX issue here: https://github.com/CycloneDX/cyclonedx-go/issues/9 Let's see if they can provide an easy API method for us to do the merging.

aemengo avatar Oct 12 '21 22:10 aemengo

Related PR : https://github.com/CycloneDX/cyclonedx-go/pull/12

VinodAnandan avatar Oct 26 '21 09:10 VinodAnandan