-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate generating an SBOM with this buildpack #170
Comments
@fg-j My understanding has been that an SBOM would record artifacts that are added to the image, but this buildpack only produced metadata via the addition of launch processes. What do you imagine would exist in an SBOM produced by this buildpack? |
I share your understanding, @ryanmoran. I assume that if this buildpack generated an SBOM, it would contain information about which |
Would the Is there something I am missing here that would make us want to re-record these |
Given the scenario you described, I agree there's no reason to re-record the For some historical context, I wrote this issue simply to make visible my question "Would this even be useful?". The question arose from realizing that there are some cases where the SBOM from the go-mod-vendor buildpack differs meaningfully from the one generated by the go-build buildpack. Since much of the recent SBOM work happened quickly and asynchronously, I wanted to be sure this didn't slip through the cracks. It sounds to me like you're implying that an SBOM generated by this buildpack wouldn't provide value. That's fine by me! Merely wanted to pose the question. |
I appreciate the effort at making sure we cover all our bases. To me, this question should be resolved as I think any kind of scenario we might identify for including an SBOM in this buildpack would be covered elsewhere in the Node.js family. |
The
sbom
package in packit enables buildpack authors to easily generate SBOM content from the contents of an app directory. Now that this tooling exists, it's worth exploring whether this buildpack would provide value to users if it generated an SBOM.Since this buildpack does not own/create a layer of its own, any SBOM the buildpack generates would be added to the launch SBOM.
Some initial questions to consider:
The text was updated successfully, but these errors were encountered: