Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create SBOM for software stack provided #366

Open
goern opened this issue Dec 21, 2021 · 6 comments
Open

create SBOM for software stack provided #366

goern opened this issue Dec 21, 2021 · 6 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/user-experience Issues or PRs related to the User Experience of our Services, Tools, and Libraries. triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
SIG-User-Experience

Comments

@goern
Copy link
Member

goern commented Dec 21, 2021

Is your feature request related to a problem? Please describe.
As a feature to support a more secure software supply chain, Thoth should generate a SBOM, for each advise requested, and build via a Tekton task. #needsRefinement

A SBOM is not a security tool but it is a means to improve security, it can’t guarantee “vulnerability-free” software but can be helpful in fast discovery of CVE.

High-level Goals

  • SBOM should be machine-readable
  • SBOM should be generated automatically
  • SBOM should be static
  • SBOM should be cryptographically signed

SBOM should contain:

  • binary executables
  • binary libraries
  • packages (RPMs, wheels, jars, npm)

Describe the solution you'd like
TBD

Describe alternatives you've considered
TBD

Additional context
We need to figure out how to include/embed/reference SBOM from base operating system (composability)

https://cyclonedx.org/ might be interesting

Acceptance Criteria
TBD
@goern goern added kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/...` label and requires one. labels Dec 21, 2021
@goern
Copy link
Member Author

goern commented Jan 18, 2022

/priority backlog
/lifecycle frozen

@sesheta sesheta added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence. labels Jan 18, 2022
@codificat
Copy link
Member

/triage needs-information

@sesheta sesheta added the triage/needs-information Indicates an issue needs more information in order to work on it. label Feb 15, 2022
@fridex fridex mentioned this issue Feb 15, 2022
Open
@fridex
Copy link
Contributor

fridex commented Feb 15, 2022

Related: #361

@codificat
Copy link
Member

/remove-label needs-triage

@sesheta
Copy link
Member

sesheta commented Feb 15, 2022

@codificat: The label(s) /remove-label needs-triage cannot be applied. These labels are supported: community/discussion, community/group-programming, community/maintenance, community/question, deployment_name/ocp4-stage, deployment_name/ocp4-test, deployment_name/moc-prod, hacktoberfest, hacktoberfest-accepted, kind/cleanup, kind/demo, kind/deprecation, kind/documentation, kind/question, sig/advisor, sig/build, sig/cyborgs, sig/devops, sig/documentation, sig/indicators, sig/investigator, sig/knowledge-graph, sig/slo, sig/solvers, thoth/group-programming, thoth/human-intervention-required, thoth/potential-observation, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, triage/accepted, triage/duplicate, triage/needs-information, triage/not-reproducible, triage/unresolved, lifecycle/submission-accepted, lifecycle/submission-rejected

In response to this:

/remove-label needs-triage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@codificat codificat mentioned this issue Feb 15, 2022
Closed
@goern goern removed the needs-triage Indicates an issue or PR lacks a `triage/...` label and requires one. label Feb 16, 2022
@goern
Copy link
Member Author

goern commented Apr 4, 2022

/sig user-experience

@sesheta sesheta added the sig/user-experience Issues or PRs related to the User Experience of our Services, Tools, and Libraries. label Apr 4, 2022
@Gkrumbach07 Gkrumbach07 added this to Backlog in SIG-User-Experience Apr 4, 2022
@Gkrumbach07 Gkrumbach07 moved this from Backlog to New in SIG-User-Experience May 2, 2022
@codificat codificat mentioned this issue Jun 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/user-experience Issues or PRs related to the User Experience of our Services, Tools, and Libraries. triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
Planning Board
Status: 🆕 New
SIG-User-Experience
New
Milestone
No milestone
Development

No branches or pull requests
4 participants
@goern @codificat @fridex @sesheta