buildpacks / libcnb

A non-opinionated language binding for the Cloud Native Buildpack Buildpack and Extension specifications
Apache License 2.0
31 stars 13 forks source link

Adjustments for Lifecycle version 0.13.3 #115

Closed dmikusa closed 2 years ago

dmikusa commented 2 years ago

Starting with lifecycle 0.13.3, it is permitted to have both the old style label-based BOM information and the new style layer-based BOM information. If the buildpack API is 0.6 or older, label-based BOMs only are OK. If the buildpack API is 0.7, you may have both label-based BOM and layer-based BOM or just layer-based BOM. It is permitted to have just label-based BOM, however, that will generate a warning from the lifecycle.

This PR makes two changes:

  1. It removes two checks that we were using to nil out the label-based BOM and WARN if it was set. This is OK now based on the lifecycle changes so we permit it.
  2. It adds BP_DISABLE_BOM_LABEL which can be used to manually disable the label-based BOM. This is for the case where the label is too large and causes problems with K8s. This defaults to false, so label-based BOM is enabled by default. Setting it to true will result in no label-based BOM being included, even if the buildpacks write that information.
ekcasey commented 2 years ago

Not strictly related to this PR but it looks like libcnb is providing a helpers to create layer-specific SBOMs but not for generic launch and build SBOMs. Seem like we should probably do both? cc @dmikusa-pivotal @samj1912

sambhav commented 2 years ago

@ekcasey we do have those as well -> https://github.com/buildpacks/libcnb/blob/d3e6e18255ecfc1dac6cc473471d9cb2739124c4/layer.go#L216-L223

sambhav commented 2 years ago

@dmikusa-pivotal merging this for now. Was just a nitpick on the naming side. Hopefully we are getting rid of v1 soon anyway.