search

paketo-buildpacks / libpak

An opinionated extension to the libcnb Cloud Native Buildpack Library
Apache License 2.0
15 stars 17 forks source link

Provide Global Mechanism to Disable SBOM Generation #311

Open dmikusa opened 6 months ago

dmikusa commented 6 months ago

Describe the Enhancement

Implement RFC 0044 by checking for BP_DISABLE_SBOM as one of the first things in build.go and, if set, return early.

Possible Solution

This needs support in both libpak and libbs. Any point where we generate SBOM information or run syft (or other tools), needs to be aware of the opt-out and should skip generating SBOM information.

In addition, the container needs to be flagged as having opted out of SBOM generation so it's clear this was due to a user request.

Motivation

At the moment, this remains unclear. If you find this issue and it is of interest to you. Please post a comment and include some details about why you'd like this setting, your use case and how it impacts you. If we get enough user interest, we can implement this feature.

dmikusa commented 3 months ago

See https://github.com/paketo-buildpacks/maven/issues/334 for some rationale for implementing this.

loewenstein commented 3 months ago

See paketo-buildpacks/maven#334 for some rationale for implementing this.

I don't think that the linked issue asks for disabling SBoM globally. The maven cyclonedx plug-in will only be able to provide insights into the the bom of the app. This cannot replace e.g. the libjvm buildpacks to provide the jvm sbom information.