Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Paketo RFC0044: Disable SBOM #1126

Open
candrews opened this issue Jun 14, 2023 · 3 comments
Open

Implement Paketo RFC0044: Disable SBOM #1126

candrews opened this issue Jun 14, 2023 · 3 comments
Labels
status/requires-rfc type/enhancement New feature or request

Comments

@candrews
Copy link

candrews commented Jun 14, 2023
edited
Loading

Describe the Enhancement

This buildpack should opt-in to allowing users to disable SBOM generation. In doing so, it should conform to Paketo RFC044.

When BP_DISABLE_SBOM is set to true, buildpacks that allow SBOM to be omitted from their output should refrain from generating or attaching an SBOM in their outputs. This would apply to both new (Syft, CycloneDX, and SPDX formats) and old (label) SBOM outputs.

Additionally, when this variable is set to true a buildpack should set an image label of io.paketo.sbom.disabled to true. This label interface would allow downstream consumers of the image to understand that SBOM generation had been explicitly disabled.

Possible Solution

Motivation

SBOM generation can take substantial time. There may also be other reasons for wanting this functionality to be disabled.
@candrews candrews added status/triage type/enhancement New feature or request labels Jun 14, 2023
@candrews candrews mentioned this issue Jun 14, 2023
Closed
@edmorley
Copy link
Contributor

@candrews Hi!

When I first read this issue's title, I interpreted the "RFC044" reference to mean RFC 44 of the buildpacks.io project, however, from the link in the issue description it instead seems to be Paketo's own RFC? It is probably useful to mention Paketo in the description as a "prior art", so I'm not suggesting that should be removed, but I think the issue title and description need to be reworked to make it clear this is a feature request, and not a "this has already been decided in this project in an approved RFC" type issue (which are commonly seen in this repo, filed by maintainers).

@candrews candrews changed the title Implement RFC0044: Disable SBOM Implement Packeto RFC0044: Disable SBOM Jun 14, 2023
@candrews candrews changed the title Implement Packeto RFC0044: Disable SBOM Implement Paketo RFC0044: Disable SBOM Jun 14, 2023
@candrews
Copy link
Author

Thanks for those great points - do the tweaks I made address those concerns? If not, please let me know what else I can do.

@edmorley
Copy link
Contributor

Thank you - I think that helps prevent any confusion :-)

Since this affects user facing API, I would presume (I'm not a maintainer of this project, so not 100% sure) that this would need an RFC here before any code changes could be accepted:
https://github.com/buildpacks/rfcs#readme

Something that may be worth addressing in any RFC, is whether this feature should be implemented as "disable SBOMs for buildpacks only" or "disable all SBOMs". For the Paketo RFC it made sense that they proposed the feature be buildpack-only, since they cannot control the upstream SBOM parts themselves (the SBOMs generated by lifecycle etc). However, that limitation wouldn't apply for the buildpacks.io project, so perhaps it would make more sense for SBOMs enabling/disabling to be controlled at the platform/lifecycle level (with presumably some env var exposed by lifecycle to inform buildpacks as to whether they should run their SBOM steps)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/requires-rfc type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@candrews @edmorley @natalieparellano