search

ossf / sbom-everywhere

Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Apache License 2.0
70 stars 25 forks source link

being specific on directory structure #33

Open idunbarh opened 1 year ago

idunbarh commented 1 year ago

Ref https://github.com/ossf/sbom-everywhere/blob/main/reference/sbom_naming.md

  1. Directory Structure:

Store SBOM files in a dedicated directory, separate from the source code. This might be a top-level directory in the repository named something like SBOMs.

I see one of the objectives of this document is to drive common locations and naming conventions to facilitate SBOM discovery. Like #32, I would expect this document to recommend a specific directory name. The current language is ambiguous.

Would the WG be interested in the following language?

Store SBOM files in a dedicated directory, separate from the source code. This should be a top-level directory in the repository named sboms.

sjn commented 6 months ago

Agreed.

Related, I think there is a case for suggesting a standard system installation directory for SBOMs, so they can be found locally. E.g. /lib/sboms/$packagename.cdx.json.

ljharb commented 6 months ago

A path that likely requires sudo would be a very subpar choice, i think.

sjn commented 6 months ago

Ah, sorry. I'm specifically thinking of the situation after the build step (when an SBOM is produced), namely when the artifacts are installed. In this case I think accompanying SBOM files would be good to have installed in a standard location along with the build artifacts

Apologies for that. I guess a separate ticket is in order then? :slightly_smiling_face: