search

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
https://witness.dev
Apache License 2.0
415 stars 59 forks source link

[Bug]: Incorrect cover of CLO Monitor SBOM check. #437

Closed matglas closed 6 months ago

matglas commented 7 months ago

What steps did you take and what happened:

It looks like the check for SBOM by CLO Monitor is not correct. We do not output SBOM yet on the project in a parsable location. The reason the check is succesfull is because of an article on SBOM that matches the regex.

What did you expect to happen:

I reviewed the CLO Monitor for go-witness because it had not green SBOM check. Looking at the witness project for its way of providing the SBOM I noticed it did no 'provide' the SBOM. It was only green because of the article link mentioning SBOM in the README.

https://clomonitor.io/projects/cncf/in-toto#witness_security

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

matglas commented 6 months ago

I think this could be marked as a good first issue. Looking into the output of SBOM information into the releases so people benefit from it and we will have a correct coverage of the check.

matglas commented 6 months ago

@jkjell could you take a look at this proposal?

jkjell commented 6 months ago

Yeah, we definitely should fix this. Since we use goreleaser, it should be pretty easy to add the extra config into the .goreleaser.yaml to generate and sign the SBOM.