Skip to content

Generate SPDX SBOM at release time#538

Merged
jdolitsky merged 3 commits intohelm:mainfrom
puerco:sbom
Jan 30, 2022
Merged

Generate SPDX SBOM at release time#538
jdolitsky merged 3 commits intohelm:mainfrom
puerco:sbom

Conversation

@puerco
Copy link
Copy Markdown
Contributor

@puerco puerco commented Jan 30, 2022
edited
Loading

This PR adds the Kubernetes SBOM tool to the release workflow to generate a Software Bill of Materials.

There are two parts to achieve this, each split into a commit in the PR:

  1. The actions workflow now uses the new bom-installer action to install bom into the runner.
  2. The actual SBOM generation is done by a new script in scripts/sbom.sh that reads the artifacts and generates the SBOM including a) the source code and dependencies b) the container image c) the built tarballs.

/cc: @jdolitsky

Fixes #537

TODO:

The current change only writes the SBOM. It should then be stored in its final location

Structure

This is a sample visualization of the generated SBOM:

image

puerco added 2 commits January 29, 2022 23:18
@puerco
Add bom generation script
1dfba0f 
This commit adds a script in scripts/sbom.sh that generates
the SBOM for the release adding three kinds of elements to it:

	1. The source code with full dependencies
	2. The tarball distrubutions written in _dist
	3. The container image

The SBOM is written into the _dist directory.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Generate SBOM from build workflow
93c42c7 
This commit modifies the build pipeline to generate an SPDX SBOM
describing the release. It uses the new bom-installer action to
install the Kubernetes SBOM Tool into the runner and calls the
scripts/sbom.sh script which handles the generation.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@jdolitsky jdolitsky added this to the v0.14.0 milestone Jan 30, 2022
@jdolitsky
Modify release pipeline to properly include SBOM
339599f 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
jdolitsky
jdolitsky approved these changes Jan 30, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@jdolitsky jdolitsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@puerco thank you! 🎉

This is great. Made a few changes to integrate with the release pipeline (I think that is related to your TODO item)

@jdolitsky jdolitsky merged commit 77d6cea into helm:main Jan 30, 2022
@puerco
Copy link
Copy Markdown
Contributor Author

puerco commented Jan 31, 2022

Exactly!! I wanted to talk to you about it before doing any of that stuff, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdolitsky jdolitsky jdolitsky approved these changes

Assignees

No one assigned

Labels

size/M

Projects

None yet

Milestone

v0.14.0

Development

Successfully merging this pull request may close these issues.

Add SBOM to release artifacts

3 participants

@puerco @jdolitsky @helm-bot