search

mitre / hipcheck

Automatically assess and score software repositories for supply chain risk.
https://mitre.github.io/hipcheck/
Apache License 2.0
62 stars 3 forks source link

Generate SBOMs for Hipcheck Distribution Artifacts #171

Open alilleybrinker opened 2 months ago

alilleybrinker commented 2 months ago

Hipcheck today effectively produces three artifacts with each release, each of which should have an SBOM:

Of these, the binaries are probably easiest to produce an SBOM for, but it's the Docker container SBOM we probably care about the most.

This will also involve deciding if we want to produce CycloneDX and/or SPDX SBOMs.

EDIT:

We've decided to wait for these to be resolved by the cargo-dist folks, who are working on automatic SBOM generation.

mchernicoff commented 1 month ago

We will use SPDX as the intended SBOM standard (for now), in the interest of choosing a standard.