Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Incorrect cover of CLO Monitor SBOM check. #437

Closed
matglas opened this issue Apr 30, 2024 · 3 comments · Fixed by #451
Closed

[Bug]: Incorrect cover of CLO Monitor SBOM check. #437

matglas opened this issue Apr 30, 2024 · 3 comments · Fixed by #451
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@matglas
Copy link
Contributor

matglas commented Apr 30, 2024

What steps did you take and what happened:

It looks like the check for SBOM by CLO Monitor is not correct. We do not output SBOM yet on the project in a parsable location. The reason the check is succesfull is because of an article on SBOM that matches the regex.

What did you expect to happen:

I reviewed the CLO Monitor for go-witness because it had not green SBOM check. Looking at the witness project for its way of providing the SBOM I noticed it did no 'provide' the SBOM. It was only green because of the article link mentioning SBOM in the README.

https://clomonitor.io/projects/cncf/in-toto#witness_security

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

@matglas matglas added the bug Something isn't working label Apr 30, 2024
@matglas
Copy link
Contributor Author

matglas commented May 17, 2024

I think this could be marked as a good first issue. Looking into the output of SBOM information into the releases so people benefit from it and we will have a correct coverage of the check.

@matglas
Copy link
Contributor Author

matglas commented May 17, 2024

@jkjell could you take a look at this proposal?

@jkjell jkjell added the good first issue Good for newcomers label May 17, 2024
@jkjell
Copy link
Member

jkjell commented May 17, 2024

Yeah, we definitely should fix this. Since we use goreleaser, it should be pretty easy to add the extra config into the .goreleaser.yaml to generate and sign the SBOM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants