sbom-everywhere icon indicating copy to clipboard operation
sbom-everywhere copied to clipboard
verified publisher icon ossf

being specific on directory structure

Open idunbarh opened this issue 2 years ago • 3 comments

Ref https://github.com/ossf/sbom-everywhere/blob/main/reference/sbom_naming.md

  1. Directory Structure:

Store SBOM files in a dedicated directory, separate from the source code. This might be a top-level directory in the repository named something like SBOMs.

I see one of the objectives of this document is to drive common locations and naming conventions to facilitate SBOM discovery. Like #32, I would expect this document to recommend a specific directory name. The current language is ambiguous.

Would the WG be interested in the following language?

Store SBOM files in a dedicated directory, separate from the source code. This should be a top-level directory in the repository named sboms.

idunbarh avatar Aug 03 '23 04:08 idunbarh

Agreed.

Related, I think there is a case for suggesting a standard system installation directory for SBOMs, so they can be found locally. E.g. /lib/sboms/$packagename.cdx.json.

sjn avatar Apr 22 '24 02:04 sjn

A path that likely requires sudo would be a very subpar choice, i think.

ljharb avatar Apr 22 '24 03:04 ljharb

Ah, sorry. I'm specifically thinking of the situation after the build step (when an SBOM is produced), namely when the artifacts are installed. In this case I think accompanying SBOM files would be good to have installed in a standard location along with the build artifacts

Apologies for that. I guess a separate ticket is in order then? :slightly_smiling_face:

sjn avatar Apr 22 '24 04:04 sjn