Generate SBOM artifact

[michaelsauter]

It would be great to generate an SBOM as an artifact, maybe with Trivy?

FYI @gerardcl

[michaelsauter]

Citing from FDA draft guidance "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff":

Because vulnerability management is a critical part of a device’s security risk management processes, an SBOM or an equivalent capability should be maintained as part of the device’s configuration management, be regularly updated to reflect any changes to the software in marketed devices, and should support 21 CFR 820.30(j) (Design History File) and 820.181 (Design Master Record) documentation.

The SBOM should be in a machine readable format.

Further, IMDRF proposal "Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity" is a whole document addressing this topic.

[gerardcl]

hi @michaelsauter FYI I am doing a bit of internal exploration also with Aqua directly and will come back here once I know more 👍

[michaelsauter]

@gerardcl Hmm ... I just read https://www.chainguard.dev/unchained/are-sboms-good-enough-for-government-work. Trivy seems to be doing worse than bom / syft. Maybe worth keeping an eye out for :) But then again I expect Trivy to improve, like the others ...

[renedupont]

@michaelsauter @gerardcl maybe it is worth having an eye on this https://docs.docker.com/engine/sbom/ in case it passes the experimental phase and is satisfying our needs?

[michaelsauter]

@renedupont Thanks for the heads up! I see it using https://github.com/anchore/syft underneath, which is an alternative to Trivy in the end. We picked Trivy because it seemed to gain traction and hoped that it would allow to send results to the Aqua server. For now this is not the case, but I believe Aqua is still working on making it happen. We don't use docker in ODS Pipeline at all because building images in OpenShift is rather tricky due to all the security restrictions imposed by OpenShift. buildah seems to be the best fit, but even that constantly breaks or causes issues, very frustrating.