Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to create a sbom for a Bundle #285

Open
DennisDenuto opened this issue Oct 25, 2021 · 2 comments
Open

how to create a sbom for a Bundle #285

DennisDenuto opened this issue Oct 25, 2021 · 2 comments
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@DennisDenuto
Copy link
Contributor

DennisDenuto commented Oct 25, 2021
edited

I would like to have insight into what dependencies (+ transitive) / packages / libraries / licenses are being distributed by a Bundle

Having an sbom is a good standard to follow, however generating an sbom for a bundle doesn't capture any of the dependencies brought in by the referenced images. (It isn't clear to me whether it should either, since each image ref would also have its own sbom - this might require some research)

Can we have imgpkg workflow documentation (similar to the airgapped env) that outlines:

  • How to generate an sbom for a bundle
  • What information is captured in a bundle sbom
@DennisDenuto DennisDenuto added the carvel triage This issue has not yet been reviewed for validity label Oct 25, 2021
@joaopapereira
Copy link
Member

Going to accept this issue.

The expected outcome for this story is:

  1. Come up with a workflow that can be used by the users
  2. Create new issues with possible new features needed to create these SBOMs (This might not be a change in imgpkg itself but it could be a script to help automate the process)

@joaopapereira joaopapereira added carvel accepted This issue should be considered for future work and that the triage process has been completed priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed carvel triage This issue has not yet been reviewed for validity labels Nov 9, 2021
@ThomasVitale
Copy link

The generated SBOM could be signed with cosign and added as a signed in-toto attestation to the image. I guess this issue is connected to #269.

@ThomasVitale ThomasVitale mentioned this issue Apr 14, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
Carvel
Status: Unprioritized
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joaopapereira @DennisDenuto @ThomasVitale