New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create and publish Software Bill of Materials (SBOMs) for our operators, products and docker images #168
Comments
This sounds great, but I have a sneaking suspicion that this kind of automatic processing would be quite complicated, especially for our products, where we just use their release artifacts rather than integrating with their build systems. I'd absolutely like to see this at some point, but it feels like it's a big and important enough issue that we need some kind of stopgap until then. I'd propose:
|
This is a good summary of tools used to generate SBOMs: https://cloudsmith.com/blog/how-to-generate-and-host-an-sbom/ |
Once we have the SBOMs I suggest we work on this: https://github.com/stackabletech/internal-issues/issues/46 |
SBOM for our Operators
We want to produce SBOMs for all our operators and the operator images.
Tasks
bom.xml
to all our operators #369SBOM for our products
See https://cwiki.apache.org/confluence/display/COMDEV/SBOM for a list of Apache products that already support SBOMs. Thanks to @dongjoon-hyun who worked on most of these!
Tasks
Unfortunately, we will not be able to use them all so we might have to create our own SBOMs.
Generating the SBOMs is only the first step though. We should mirror them somewhere and publish them as well to merge them with our Docker images and any custom additions.
The text was updated successfully, but these errors were encountered: