🌱 SBOM

[mudler]

In order to keep track and be transparent on what is shipped on each release, would be preferred to have an automated process that collects SBOM information in c3os context

Action items

On releases, we should attach among artifacts:

• Collect go.mod dependencies
• Collect binaries dependencies SBOM (packages + license) https://github.com/anchore/syft
• Collect luet packages SBOM

Open questions

• How to collect k3s in SBOM?
• How to collect bundles SBOM?

We use

• K3s
• Base distro packages (kernel, systemd, grub, etc)
• Our packages
• Elemental-cli (fork)
• EdgeVPN (uses libp2p)
• Luet
• KubeVIP

Deliverables

(those might already exist, to 👀 )

• tool to create spdx files out from OS packages information
• tool to create spdx files out from luet installed packages

Already existing tools

• OS level sbom: https://github.com/anchore/syft
• Go SBOM: https://github.com/CycloneDX/cyclonedx-gomod

Action Items

• SBOM attached to releases for kairos-io/kairos
• SBOM attached to releases for kairos-io/provider-kairos

[mudler]

with syft seems already promising. I get a full list of OS level + golang binary mod dependency list at file level. I'd say that would cover all the above:

syft:
    FROM anchore/syft:latest
    SAVE ARTIFACT /syft syft

image-sbom:
    FROM +docker
    WORKDIR /build
    COPY +version/VERSION ./
    ARG VERSION=$(cat VERSION)
    ARG FLAVOR
    COPY +syft/syft /usr/bin/syft
    RUN syft / -o json=sbom.syft.json -o spdx-json=sbom.spdx.json
    SAVE ARTIFACT /build/sbom.syft.json sbom.syft.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.syft.json
    SAVE ARTIFACT /build/sbom.spdx.json sbom.spdx.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.spdx.json

core-debian-v1.6.0-14-g193c740-dirty-sbom.s.zip

[mudler]

#998 covers kairos-io/kairos. we need to do the same for kairos-io/provider-kairos

[mudler]

opened kairos-io/provider-kairos#256 for provider-kairos