Investigate generating an SBOM with this buildpack

[fg-j]

The sbom package in packit enables buildpack authors to easily generate SBOM content from the contents of an app directory. Now that this tooling exists, it's worth exploring whether this buildpack would provide value to users if it generated an SBOM.

Since this buildpack does not own/create a layer of its own, any SBOM the buildpack generates would be added to the launch SBOM.

Some initial questions to consider:

• What use cases exist where an SBOM generated at this of the build would be valuable?
• What performance penalties come with generating an SBOM in this buildpack?

[ryanmoran]

@fg-j My understanding has been that an SBOM would record artifacts that are added to the image, but this buildpack only produced metadata via the addition of launch processes. What do you imagine would exist in an SBOM produced by this buildpack?

[fg-j]

I share your understanding, @ryanmoran. I assume that if this buildpack generated an SBOM, it would contain information about which node_modules will appear in the launch image. I don't have deep enough context on NodeJS use-cases to say whether there are relevant examples where the set of node_modules changes between when npm install runs and when this buildpack runs, (i.e. the last step of the build). If they're always the same, I doubt generating an SBOM here would be useful.

[ryanmoran]

Would the yarn-install buildpack not already record what node_modules appear in the launch image? My understanding is that the yarn-start buildpack makes a requirement of node_modules at launch. This requirement is propagated to the yarn-install buildpack as it provides node_modules. Then during the build phase, the yarn-install buildpack would generate and record a SBOM for those node_modules that would ultimately appear in the run image because of how the node_module layer was required.

Is there something I am missing here that would make us want to re-record these node_modules in this buildpack?

[fg-j]

Given the scenario you described, I agree there's no reason to re-record the node_modules contents.

For some historical context, I wrote this issue simply to make visible my question "Would this even be useful?". The question arose from realizing that there are some cases where the SBOM from the go-mod-vendor buildpack differs meaningfully from the one generated by the go-build buildpack. Since much of the recent SBOM work happened quickly and asynchronously, I wanted to be sure this didn't slip through the cracks.

It sounds to me like you're implying that an SBOM generated by this buildpack wouldn't provide value. That's fine by me! Merely wanted to pose the question.

[ryanmoran]

I appreciate the effort at making sure we cover all our bases. To me, this question should be resolved as I think any kind of scenario we might identify for including an SBOM in this buildpack would be covered elsewhere in the Node.js family.