Closed dwallacelf closed 5 months ago
Per this blog entry [0], Github incorporates the generation of SPDX formated SBOM json file from the 'Insights->Dependency Graph' page [1] by hitting the "Export SBOM" button.
@ondrej-fabry, given the releases tags provide a convenient URL to retrieve tarballs of the source code, does it make sense to download & check the latest SBOM file into the tree (e.g. RELEASE_SBOM.json) before each release?
[0] https://github.blog/2023-03-28-introducing-self-service-sboms/ [1] https://github.com/FDio/govpp/network/dependencies
The procedure for generating SBOMs should be added to the Developer Documentation
We could also add this as part of the release process, and upload the generated sboms alongside the release packages
Per recommendations by the LF Networking Security Forum on the Security Best Practices Wiki Page, GoVPP releases should include the generation of a Software Bill of Materials in SPDX 2.2 or greater format.