search

buildpacks / rfcs

RFCs for Cloud Native Buildpacks
Apache License 2.0
56 stars 71 forks source link

SBOM layer support #278

Open RealHarshThakur opened 1 year ago

RealHarshThakur commented 1 year ago

Related : https://github.com/buildpacks/spec/issues/350

buildpack-bot commented 1 year ago

Maintainers,

As you review this RFC please queue up issues to be created using the following commands:

/queue-issue <repo> "<title>" [labels]...
/unqueue-issue <uid>

Issues

(none)

samj1912 commented 1 year ago

@RealHarshThakur thanks for the RFC. Have you had a chance to look at https://github.com/buildpacks/rfcs/pull/195 which covers the cosign sbom format as well as storing sboms as attestations.

RealHarshThakur commented 1 year ago

@samj1912 thanks for pointing it out. Just skimmed through it. I think we're after the same goal. OCI v1.1 draft spec is helping with interoperability.

Re: attestations Feels like it's easier to support SBOMs as dedicated layers in OCI manifest first. This will set the ground for attestations too but I didn't want to include it here as I haven't seen the popular builder images emitting attestations and there isn't a pack attest subcommand yet. Attestation support might deserve its own RFC IMO.

Re: using cosign as a library I noticed cosign also relies on go-containerregistry library that Buildpack does. It felt easier to use the underlying library directly than to introduce a new dependency.

Re: similarity to RFC Is there a notion of sub-RFCs or similar since it feels like this RFC can be a sub-RFC to the one you've proposed? If not, I'm happy to close this one if we can cover the OCI spec progress in the other one

loewenstein commented 1 year ago

Should we consider https://github.com/buildpacks/rfcs/pull/186 a dependency? Feels like a prerequisite to have complete sbom information before we condense it into an "image sbom"...

RealHarshThakur commented 1 year ago

@loewenstein Agreed! OCI spec allows annotations to attach metadata like that.

loewenstein commented 1 year ago

@RealHarshThakur well, I primarily meant this to say, we - as the CNB project - should make sure to allow complete application image boms before exposing them via standards. Or was your comment to say there are annotations for "warning: this sbom is incomplete"?

RealHarshThakur commented 1 year ago

I meant we should provide complete image sboms too but adhere to OCI 1.1 spec on how it suggests on doing it. In future, when we do runtime SBOMs, etc- annotations will help us differentiate it.