search

RedHatProductSecurity / security-data-guidelines

A set of documents detailing Red Hat's publishing of security data.
https://redhatproductsecurity.github.io/security-data-guidelines/
MIT License
1 stars 1 forks source link

Add container image sbom example generator #3

Closed mprpic closed 3 months ago

mprpic commented 5 months ago

Also add an example SBOM for the ubi9-micro container image.

mprpic commented 5 months ago

@twaugh Are there any other container images that would be good examples for this type that you'd recommend including here?

twaugh commented 5 months ago

@twaugh Are there any other container images that would be good examples for this type that you'd recommend including here?

It would definitely be good to have a simple example container that simply installs one or more of the example RPMs. That way we'll have complete example data to show linking between them.

Another way to show this would be to add a new RPM example using one of the RPMs installed in the example container.

mprpic commented 4 months ago

It would definitely be good to have a simple example container that simply installs one or more of the example RPMs. That way we'll have complete example data to show linking between them.

I added an example for the kmm/kernel-module-management-rhel9-operator that installs the same version of openssl as we have in our rpm example. It does also build and install a Go binary but I'm not sure where to fetch that data from. Any ideas?

I also added an example of the podman container, which just contains extra RPMs on top of the ones installed in UBI. Though, we don't really make a distinction between the RPMs installed in the base layer vs the final layer (or any layers inbetween for that matter).