Closed jdolitsky closed 1 year ago
After building the image filesystem, scan the /var/lib/db/sbom directory looking for files in the form:
/var/lib/db/sbom
$package.cdx
$package.spdx.json
These files should be included during a melange build of APK with name $package.
$package
The package data from these should be included in the final SBOM(s), noting the APK which it derives from.
Upped this to P1 as I think it would give us a strong sell in demos if our SBOMs are bomb. For the moment at least it will be a USP.
Closed by https://github.com/chainguard-dev/apko/pull/309 (thanks @puerco!)
After building the image filesystem, scan the
/var/lib/db/sbom
directory looking for files in the form:$package.cdx
(CycloneDX)$package.spdx.json
(SPDX)These files should be included during a melange build of APK with name
$package
.The package data from these should be included in the final SBOM(s), noting the APK which it derives from.