hipcheck icon indicating copy to clipboard operation
hipcheck copied to clipboard

Published 20 hours ago verified publisher icon mitre

Generate SBOMs for Hipcheck Distribution Artifacts

Open alilleybrinker opened this issue 1 year ago • 1 comments

Hipcheck today effectively produces three artifacts with each release, each of which should have an SBOM:

  • [ ] Hipcheck Docker image published to Docker Hub

Of these, the binaries are probably easiest to produce an SBOM for, but it's the Docker container SBOM we probably care about the most.

This will also involve deciding if we want to produce CycloneDX and/or SPDX SBOMs.

EDIT:

We've decided to wait for these to be resolved by the cargo-dist folks, who are working on automatic SBOM generation.

  • [ ] hc binary
  • [ ] hc-update binary (produced by cargo-dist)

alilleybrinker avatar Jul 01 '24 20:07 alilleybrinker

We will use SPDX as the intended SBOM standard (for now), in the interest of choosing a standard.

mchernicoff avatar Aug 01 '24 17:08 mchernicoff