melange icon indicating copy to clipboard operation
melange copied to clipboard
verified publisher icon chainguard-dev

Basic SBOM generation in apks

Open puerco opened this issue 3 years ago • 3 comments

This PR wires SBOM generation into the melange build process.

It creates basic SBOMs for all apks built by melange. The SBOMs themselves only inventory the apk contents and write them to the SBOM. In the next iterations we will start adding features to the SBOMs like language and build deps, vcs references, smarter licensing, etc.

Closes https://github.com/chainguard-dev/melange/issues/141

puerco avatar Nov 29 '22 00:11 puerco

The reproducible builds test is now failing as the .apk is packaging the SBOM. Fixing.

puerco avatar Nov 29 '22 00:11 puerco

Looks good once the e2e tests are fixed.

kaniini avatar Nov 29 '22 01:11 kaniini

I had missed a few bits where the SBOM creation was not deterministic. Fixed now.

puerco avatar Nov 29 '22 02:11 puerco