Open rchincha opened 1 year ago
Add a directive as follows:
build:
from: ...
bom:
- package: pkg1
path: /dir1
- package: pkg2
path: /dir2
run: |
my-bom-tool ... > /stacker-artifacts/test.bom
...
When the bom
directive is specified, a /stacker-artifacts is also bind-mounted into the container
1) One can run their own bom tool to genetate BOMs etc and output under /stacker-artifacts. We do this since it is not realistically possible to enable all scenarios (pkg mgmt cleanup, build/pkging staging, etc)
https://github.com/anchore/syft
https://github.com/kubernetes-sigs/bom
https://github.com/microsoft/sbom-tool
https://github.com/sbomtools/apt2sbom
2) One can also just specify bom generation directives.
This option is useful when we don't have a run:
specified and still want a bom. So one of the above as a library to be linked into stacker.
Each layer also gets a full file list of paths, sizes and checksums. This list is compared with the generated boms and if there are missing files, then the build fails - we must account for everything.
In terms of implementation, we create a internal-go bom
cmd for the bom:
directive. This must run in the container with the layer rootfs.
Finally, we can merge the boms and publish to a OCI registry with references support.
All installed pkgs: /var/lib/rpm/rpmdb.sqlite /var/lib/dpkg/status /lib/apk/db/installed
This is related https://github.com/project-stacker/stacker/issues/477 .
Maybe it is completely a dupe of this?
@rchincha this is done now right?
Is your feature request related to a problem? Please describe.
Generate SBOMs of out generated layers.
Describe the solution you'd like
No response
Describe alternatives you've considered
No response
Additional context
No response