Reproducible SBOMs

[fg-j]

What would you like to be added:
As the Syft JSON schema evolves, ensure that non-reproducible fields are optional so that users can generate spec-compliant SBOMs that are reproducible.

Why is this needed:
Filing this issue on behalf of the Paketo buildpacks project. We currently use syft as a library to generate SBOMs for the container images we build. We add these SBOMs into the built images. One of the value propositions of buildpacks is that builds can be reproducible. However, SBOMs put a wrinkle in this. The SPDX SBOM specification includes required fields like timestamps that aren’t reproducible. This forces us to choose between providing our users with build reproducibility OR spec-compliant SBOMs.

So far, Syft’s JSON schema seems to produce reproducible SBOMs, which is great for us! We wanted to flag that SBOM reproducibility is an important feature for us.

Additional context:

[spiffcs]

Thanks @fg-j!

Glad the current specification is working for your current use.

Since we're pre v1.0 for syft there is still room for changes in the future, but we'll make sure to keep reproducibility as one of the core tenants we try to stick by.

Feel free to reach out or ping if anything breaks in the near future. I'll also tag @wagoodman on this one since I know he's put a lot of thought into the reproducibility of our core schema.

[06kellyjac]

I raised a comment on this in the related issue: paketo-buildpacks/rfcs#176 (comment)

[wagoodman]

What we should do is at least add more documentation as to what the philosophies we follow when crafting SBOMs. I would say that keeping SBOMs easily reproducible is a core tenant of syft.