phlax
commented
1 year ago hi @pfl this is something we already doing if not comprehensively - see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/external_deps.html for what we currently have
when this was added rules_license was not available (at least not installed) but now it is (https://github.com/envoyproxy/envoy/pull/23678)
i didnt get so far as looking at how we can make use of rules_license but it was on my todo list - i would be very happy to review any PRs
Title: Record components used when Envoy was built
Description: From a software supply chain viewpoint it is desirable to record all dependencies used by a build of Envoy. As different configuration/compile time options include different dependencies, this information should be made available and installed with the Envoy binary. As the software dependencies contain different copyright and attribution requirements, these should also be recorded when recording the dependency information. Having dependency information available makes it possible to detect for example which Envoy instances need to be rebuilt and restarted if a bug is discovered in one of the dependencies, or to create verifiable builds. This information needs to be collected at build time, presumably collected by Bazel with attribution information extracted from the release tar balls of the dependencies.
Relevant Links: Some work in progress for Bazel license checking rules are at https://github.com/bazelbuild/rules_license that could be used as a base.