buildkit-syft-scanner icon indicating copy to clipboard operation
buildkit-syft-scanner copied to clipboard
verified publisher icon docker

Add option to specify SBOM format

Open mqf20 opened this issue 1 year ago • 2 comments

Currently, buildkit-syft-scanner generates only SPDX-JSON SBOMs.

Would the maintainers be open to supporting other types of SBOMs (e.g., CYCLONEDX-JSON)?

mqf20 avatar Jul 09 '24 08:07 mqf20

If I remember correctly SDPX is enforced right now on the buildkit side. See https://github.com/moby/buildkit/blob/55a7483b0564a7ad5b2ce5e62512789dce327bca/frontend/attestations/sbom/sbom.go#L103.

@tonistiigi is that something you'd consider changing on the buildkit side? Perhaps get the predicate-type from the created attestation?

cdupuis avatar Dec 09 '24 18:12 cdupuis

Iirc the main reason for it is that buildkit will modify the SBOM to add the layer mapping once it has created the image layers. More formats would mean BuildKit needs to have separate code for all of them.

tonistiigi avatar Dec 09 '24 19:12 tonistiigi