search

buildpacks / lifecycle

Reference implementation of the Cloud Native Buildpacks lifecycle
https://buildpacks.io
Apache License 2.0
187 stars 106 forks source link

[RFC #0095] Lifecycle should merge CycloneDX bom files #737

Open buildpack-bot opened 3 years ago

buildpack-bot commented 3 years ago

This issue have been automatically created from pull request buildpacks/rfcs#166.

A/C

Given for example the following file tree:

/layers
  /config
    /sbom
      /launch
        /buildpack.id
          bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id (only) in the merged file
          /cache-true-launch-true
            bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id and io.buildpacks.bom.layer.name in the merged file
      /build
        /buildpack.id
          bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id (only) in the merged file
          /cache-true-launch-false
            bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id and io.buildpacks.bom.layer.name in the merged file

The lifecycle should create a merged launch bom containing bom entries from /layers/config/sbom/launch and similarly for build. See Slack inquiry on whether the merged bom should live at /layers/config/sbom/launch/bom.cdx.json or /layers/config/launch/sbom/bom.cdx.json.

Note that this is only applicable to cdx files, as spdx does not have readily available tooling.

aemengo commented 3 years ago

Related cycloneDX issue here: https://github.com/CycloneDX/cyclonedx-go/issues/9 Let's see if they can provide an easy API method for us to do the merging.

VinodAnandan commented 3 years ago

Related PR : https://github.com/CycloneDX/cyclonedx-go/pull/12