SBOM Composing: apko needs to keep data from the apk system

[puerco]

Current Issue:

When apko finds an SBOM inside of an apk describing it, it will import the data from the apk SBOM and compose it in the right place in the image SBOM it builds. While the composed SBOM is structurally correct, the original SPDX package generated from the apkdb is completely replaced with the equivalent found inside the apk.

Replacing the package improves the composed SBOM as the apk SBOM should have richer data for the package but it nevertheless discards some important information from the apkdb such as the declared license or the package checksum.

Solution

This enhancement would modify apko to enrich the imported apk SPDX package with data from the original, apkdb-derived SPDX package before discarding the original package.

[luhring]

discards some important information from the apkdb such as the declared license or the package checksum

@puerco Quick question — I understand the package checksum part, but why would it be preferable to get the declared license from the apkdb instead of getting it from the apk's SBOM?

[kaniini]

I think what @puerco is saying is that we should fall back to apkdb when an SBOM is not available. The SBOM should be preferred over the apkdb as the data will be richer.

[luhring]

The SBOM should be preferred over the apkdb as the data will be richer.

Great! If this is the philosophy, I think that's a good plan. 👍

[puerco]

we should fall back to apkdb when an SBOM is not available

Right, in general. We will start with the data from the apkdb and complement it with that from the apk SBOM. As of now we replace the apkdb SPDX package entirely.

Finer control should be available when we have a good composing library. For example to choose which fields when you have fields in both, etc.