amouat
commented
2 years ago Upped this to P1 as I think it would give us a strong sell in demos if our SBOMs are bomb. For the moment at least it will be a USP.
Closed jdolitsky closed 1 year ago
amouat
commented
2 years ago Upped this to P1 as I think it would give us a strong sell in demos if our SBOMs are bomb. For the moment at least it will be a USP.
luhring
commented
1 year ago Closed by https://github.com/chainguard-dev/apko/pull/309 (thanks @puerco!)
After building the image filesystem, scan the
/var/lib/db/sbomdirectory looking for files in the form:$package.cdx(CycloneDX)$package.spdx.json(SPDX)These files should be included during a melange build of APK with name
$package.The package data from these should be included in the final SBOM(s), noting the APK which it derives from.