Closed dmikusa closed 2 years ago
Not strictly related to this PR but it looks like libcnb is providing a helpers to create layer-specific SBOMs but not for generic launch and build SBOMs. Seem like we should probably do both? cc @dmikusa-pivotal @samj1912
@ekcasey we do have those as well -> https://github.com/buildpacks/libcnb/blob/d3e6e18255ecfc1dac6cc473471d9cb2739124c4/layer.go#L216-L223
@dmikusa-pivotal merging this for now. Was just a nitpick on the naming side. Hopefully we are getting rid of v1 soon anyway.
Starting with lifecycle 0.13.3, it is permitted to have both the old style label-based BOM information and the new style layer-based BOM information. If the buildpack API is 0.6 or older, label-based BOMs only are OK. If the buildpack API is 0.7, you may have both label-based BOM and layer-based BOM or just layer-based BOM. It is permitted to have just label-based BOM, however, that will generate a warning from the lifecycle.
This PR makes two changes:
BP_DISABLE_BOM_LABEL
which can be used to manually disable the label-based BOM. This is for the case where the label is too large and causes problems with K8s. This defaults to false, so label-based BOM is enabled by default. Setting it to true will result in no label-based BOM being included, even if the buildpacks write that information.