spiffcs
commented
2 years ago Thanks @fg-j!
Glad the current specification is working for your current use.
Since we're pre v1.0 for syft there is still room for changes in the future, but we'll make sure to keep reproducibility as one of the core tenants we try to stick by.
Feel free to reach out or ping if anything breaks in the near future. I'll also tag @wagoodman on this one since I know he's put a lot of thought into the reproducibility of our core schema.
06kellyjac
wagoodman
What would you like to be added: As the Syft JSON schema evolves, ensure that non-reproducible fields are optional so that users can generate spec-compliant SBOMs that are reproducible.
Why is this needed: Filing this issue on behalf of the Paketo buildpacks project. We currently use syft as a library to generate SBOMs for the container images we build. We add these SBOMs into the built images. One of the value propositions of buildpacks is that builds can be reproducible. However, SBOMs put a wrinkle in this. The SPDX SBOM specification includes required fields like timestamps that aren’t reproducible. This forces us to choose between providing our users with build reproducibility OR spec-compliant SBOMs.
So far, Syft’s JSON schema seems to produce reproducible SBOMs, which is great for us! We wanted to flag that SBOM reproducibility is an important feature for us.
Additional context: