New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support generating an additional SBOM file based on CycloneDX format #2808
Comments
Sounds good! |
On alternatives: There is also a Syft-based GitHub action to generate SBOMs https://github.com/marketplace/actions/anchore-sbom-action |
Thank you @developer-guy , when I created the issue with the SBOM generation proposal ( #2597 ), it was primarily focused around CycloneDX SBOM support and the initial implementation from @caarlos0 ( #2618 ) was using CycloneDX official tools. But the final implementation is not compatible with CycloneDX, even when I tried to invoke cyclonedx-gomod as cmd, it wasn't working.
IMO, the cyclonedx-gomod "app" mode ( https://github.com/CycloneDX/cyclonedx-gomod#subcommands ) generates the best CycloneDX SBOM. It will help to have all the build information as well as the dependency graph in the SBOM. |
@VinodAnandan what do you mean don't work? what happens? |
It is not generating a CycloneDX SBOM. |
It seems to be related to #2798 which changes behavior for builds:
- binary: app
env:
- CGO_ENABLED=0
goos:
- linux
- windows
- darwin
goarch:
- amd64
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: |
-w
-s
-extldflags '-static'
archives:
- format: tar.gz
sboms:
- documents:
- "${artifact}.cdx.sbom"
artifacts: binary
cmd: cyclonedx-gomod
args: ["bin", "-version", "{{ .Tag }}", "-json", "-output", "$document", "$artifact"]
The artifact types seen when observing the
Which means that the |
Digging a little deeper, after allowing Once both of these issues are fixed it looks like this would be cleared up. A workaround for the second problem would be to change the document template:
(the first problem still would need to get fixed to try this out) |
problem with leaving binary there is: if the user uses Also its a bit weird that the sbom is for a binary but the release has only archives, imho. doesn't |
is this what the definition of an |
No, not in this case. The
Agreed, but it's also weird to request |
@caarlos0 , the cyclonedx-gomod supports multiple subcommands ( app, bin, mod, etc. ) which helps to generate SBOMs for different use cases. More information can be found below.
Source: https://github.com/CycloneDX/cyclonedx-gomod#usage . I prefer the app mode/subcommand as it can capture the build constraints and dependency graph information and it helps to produce accurate SBOMs. But with the current SBOM implementation, I couldn't figure out how to generate the SBOM with the app mode/build time. That is why I tried the bin command instead, which generates SBOM from binaries built with Go modules. The bin command utilises the "go version -m" under the hood and it may not be best for binaries that don't have this information. Thank @wagoodman . I appreciate your help. With the current SBOM implementation, I couldn't figure out how to generate the SBOM during the build phase. Could you please help with the generation of CycloneDX SBOM during the build time ("app" subcommand/mode https://github.com/CycloneDX/cyclonedx-gomod#app ) |
yeah, maybe we should rename it... but basically:
|
on goreleaser, if you enable the |
you shouldn't get archives when selecting |
@caarlos0 How can we have the "go version -m" information for a universal binary? Is there any other config other than IMO, we should prioritise the SBOM during the build phase ("cyclonedx-gomod app") over the pre-build or post-build ones. The build time can contain the most accurate and authentic data along with the build flags/attributes for an SBOM. |
I think its not possible, as the binary format is not recognized by |
I've opened a PR that addresses some of the asks here #2839 @VinodAnandan I missed your earlier ask about getting
This works by using
I realize that cyclonedx-gomod does not support archives right now, but I wanted to point out an alternative in case it does one day support this. The PR description references a 3rd more preferred approach since cyclonedx-gomod sits closer to the build process. |
Thank you, @wagoodman . You are awesome as always :). I can't wait for the SBOM generated during the build process, I think it will contain the most accurate and authentic data. It will be nice to capture the build constraints as well. |
I think this should be fixed, correct? |
I think so 🙌 what's your take @VinodAnandan and @developer-guy ? |
nice, will close, please reopen/ping if needed 🙏 thanks everyone :) |
@wagoodman sorry for the late reply, it is fixed !! thanks a lot for your help. |
Is your feature request related to a problem? Please describe.
No, it is not related to a problem.
Describe the solution you'd like
We have many tools that can allow us to generate an SBOM file based on CycloneDX format. So, let's add that support to GoReleaser. IMHO, when people specify command cyclonedx-gomod instead of syft, we can use that command to add arguments for it as we did for syft in line#55.
There is also a GitHub Action to download that tool that can help us quickly download and use it with the support that we think to add to GoReleaser.
👉 https://github.com/CycloneDX/gh-gomod-generate-sbom
Describe alternatives you've considered
Alternatively, Syft can generate CycloneDX format-based SBOM files, so, we can create an additional flag which we can accept a type of SBOM according to that we can override the --output argument of the Syft tool to let it generate a CycloneDX format based SBOM file.
Search
Code of Conduct
Additional context
Please feel free to assign it to me @caarlos0. I'm willing to work on it 🙋🏻♂️
The text was updated successfully, but these errors were encountered: