search

open-telemetry / sig-security

Apache License 2.0
7 stars 8 forks source link

Find out which SBOM format is being used in other CNCF projects #39

Closed ocelotl closed 6 months ago

ocelotl commented 7 months ago

In our last sig we discussed about the different SBOM formats that there are. We don't know which one to use so we will look into which formats other CNCF projects use.

ocelotl commented 6 months ago

I looked into the graduated CNCF projects. To the best of my knowledge, these are using SPDX SBOMs:

  1. argo
  2. cilium
  3. cri-o
  4. flux2
  5. istio
  6. jaeger

It seems like cri-o can also use CycloneDX SBOMs.