-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Paketo RFC 0038: CycloneDX + Syft SBOM #496
Comments
This is currently blocked on adding sbom features in packit paketo-buildpacks/packit#255 |
If we remove the node.js module bom buildpack then we should also remove it from the build plans defined in this meta buildpack. I'd feel comfortable using this issue to track that work, given it takes place in this repo. |
I can't edit the comment to add links directly, but I created some issues: I didn't create issues for the |
This is unblocked now that Packit v2.0.0 has been released |
|
@paketo-buildpacks/nodejs-maintainers What's missing before we are able to close out this issue? |
I think this is done. |
To implement Paketo RFC0038, this buildpack (and the implementation buildpacks inside) will need to move from storing SBOM information in layer metadata to storing it in files that the CNB lifecycle can manipulate during the build. The RFC outlines what these files are and what they should contain.
This issue serves as a meta-issue for work required to complete this work for the Nodejs language family. This will require (link Github issues as they are created):
node_module
SBOM for npm apps Generate SBOM for node_modules npm-install#296node-module-bom
buildpack from the order groups in this language familynode_module
SBOM for yarn apps Generate SBOM for node_modules yarn-install#280Potentially, changes to yarn -start, npm-start, and node-start buildpacks to generate SBOMs as wellEdit: Removing this step and deferring this work in these investigation issues:The text was updated successfully, but these errors were encountered: