Open alilleybrinker opened 2 months ago
Hipcheck today effectively produces three artifacts with each release, each of which should have an SBOM:
Of these, the binaries are probably easiest to produce an SBOM for, but it's the Docker container SBOM we probably care about the most.
This will also involve deciding if we want to produce CycloneDX and/or SPDX SBOMs.
EDIT:
We've decided to wait for these to be resolved by the cargo-dist folks, who are working on automatic SBOM generation.
cargo-dist
hc
hc-update
We will use SPDX as the intended SBOM standard (for now), in the interest of choosing a standard.
Hipcheck today effectively produces three artifacts with each release, each of which should have an SBOM:
Of these, the binaries are probably easiest to produce an SBOM for, but it's the Docker container SBOM we probably care about the most.
This will also involve deciding if we want to produce CycloneDX and/or SPDX SBOMs.
EDIT:
We've decided to wait for these to be resolved by the
cargo-dist
folks, who are working on automatic SBOM generation.hc
binaryhc-update
binary (produced bycargo-dist
)