Closed jvanz closed 2 years ago
I don't know how we can add the build environment info to the sbom files. It looks like the tools we are using does not support that (unless I'm missing something). However I found the current sbom provides info about which libc version is used:
{
"name": "libc",
"SPDXID": "SPDXRef-Package-libc-0.2.132",
"versionInfo": "0.2.132",
"supplier": "Organization: The Rust Project Developers",
"downloadLocation": "https://github.com/rust-lang/libc",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "5135f39c9447280f157cd3b0776988a7d639f022"
}
],
"homepage": "https://github.com/rust-lang/libc",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"licenseComments": "NOASSERTION",
"comment": "NOASSERTION"
}
This is not really the libc provided by the host (glibc/muslc), but it's a rust crate that gives access to libc functions.
I would file an issue against one of the tools we are using to generate the SBOM files, asking if it's possible to include information about the build environment being used. We have to be explicit about us using muslc, this is kinda like a cross-building environment.
If the current tool is not able to fetch this info by itself and you know another one which can do that, we can link both files. SBOM spec allows users to link elements from different files and tell the kind of relationship they have.
An example: https://github.com/spdx/spdx-examples/blob/master/example3/spdx/example3-bin.spdx#L46-L52
Currently we are generating the SBOM files for the policy server binaries. To improve even further our security and SSC, It's necessary to generate SBOM file of the system where our binaries and container image are generated.
Therefore, we will make clear what are the packages versions are under use in the build environment. And more important, which version of Musl, the libc used by policy server, is used in each release. All of this files should be attached to the release.