Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM support in "cosign attach" and "cosign download sbom". #387

Merged
merged 1 commit into from
Jun 26, 2021
Merged

SBOM support in "cosign attach" and "cosign download sbom". #387

merged 1 commit into from
Jun 26, 2021

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented Jun 24, 2021

Signed-off-by: Dan Lorenc dlorenc@google.com

@cpanato cpanato added this to the v0.6.0 milestone Jun 24, 2021
dlorenc
dlorenc commented Jun 24, 2021
View reviewed changes
cmd/cosign/cli/attach/sbom.go Outdated
return err
}
// TODO: Fix me.
m.Config.MediaType = "application/vnd.sbom.config.v1+json"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jonjohnsonjr what do i put here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any useful configuration you'd want to put in there?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. I could eventually see the need for multiple SBOMs (one for the overall image, then some for sub-parts), but that would get tackled via annotations on each layer to indicate which portion of the image the SBOM is intended to cover.

@dlorenc dlorenc force-pushed the sbom branch 3 times, most recently from f5f1877 to 784c153 Compare June 25, 2021 21:47
samj1912
samj1912 reviewed Jun 26, 2021
View reviewed changes
cmd/cosign/cli/attach/sbom.go Outdated
if err != nil {
return err
}
m.Config.MediaType = "text/spdx"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to support both cyclonedx and spdx here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup! added

@dlorenc dlorenc force-pushed the sbom branch 2 times, most recently from e1b1765 to ebd4d92 Compare June 26, 2021 11:58
SBOM support in "cosign attach" and "cosign download sbom".
dc27faf 
This is ready!

Signed-off-by: Dan Lorenc <dlorenc@google.com>
@dlorenc dlorenc changed the title WIP SBOM SBOM support in "cosign attach" and "cosign download sbom". Jun 26, 2021
@dlorenc
Copy link
Member Author

dlorenc commented Jun 26, 2021

Dropping the WIP, this is ready to go!

@dlorenc dlorenc merged commit d54af74 into sigstore:main Jun 26, 2021
@dlorenc dlorenc deleted the sbom branch June 26, 2021 20:27
@scothis scothis mentioned this pull request Mar 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samj1912 samj1912 samj1912 left review comments

@jonjohnsonjr jonjohnsonjr jonjohnsonjr left review comments

@priyawadhwa priyawadhwa priyawadhwa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.6.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dlorenc @priyawadhwa @samj1912 @jonjohnsonjr @cpanato