apko icon indicating copy to clipboard operation
apko copied to clipboard

Published 20 hours ago verified publisher icon chainguard-dev

Surface SBOMs from /var/lib/db/sbom

Open jdolitsky opened this issue 3 years ago • 1 comments

After building the image filesystem, scan the /var/lib/db/sbom directory looking for files in the form:

  • $package.cdx (CycloneDX)
  • $package.spdx.json (SPDX)

These files should be included during a melange build of APK with name $package.

The package data from these should be included in the final SBOM(s), noting the APK which it derives from.

jdolitsky avatar Jul 28 '22 14:07 jdolitsky

Upped this to P1 as I think it would give us a strong sell in demos if our SBOMs are bomb. For the moment at least it will be a USP.

amouat avatar Jul 28 '22 14:07 amouat

Closed by https://github.com/chainguard-dev/apko/pull/309 (thanks @puerco!)

luhring avatar Dec 09 '22 17:12 luhring