libcnb
libcnb copied to clipboard
buildpacks
Relax SBOM validation
We validate SBOM formats in libcnb, but this only takes into consideration the core mime type, not any additional parameters/specifiers.
We need to improve the validation to take into consideration additional parameters or relax it so that they are ignored.
This is similar to the following change in the lifecycle:
The builder, when validating buildpack-output SBOM files against buildpack-declared SBOM formats, will omit optional parameters in the declared media type from the comparison, allowing buildpacks to specify parameters in buildpack.toml (https://github.com/buildpacks/lifecycle/pull/834 by @natalieparellano)
Absolutely. Let me know if you have questions or need me to take a look at a PR.
What additional parameters can I add to validateSBOMFormats Can I include a CustomValidator or additionalMetadata if required? @dmikusa
@sagnik3788 Sorry for the delay, I was at a conference last week.
Technically you can add any parameters you want. That's a private method so we don't need to worry about breaking changes there.
My suggestion would be that you start by using the mime library to parse the mime types. One issue with the current implementation is that we process them as strings, which works Ok for basic mime types like application/zip but more complicated mime types like text/plain;charset=us-ascii will break it. Using the mime library will process those correctly.
The link above has an example of that.
@dmikusa is this in the 2.0 milestone because it cannot be done in 1.x or because it is a requirement to release 2.0?
