rancher / rke2

https://docs.rke2.io/
Apache License 2.0
1.58k stars 268 forks source link

Provide SBOM (Software Bill of materials) #3824

Open siprbaum opened 1 year ago

siprbaum commented 1 year ago

Is your feature request related to a problem? Please describe. Industry best standards for software security and software supply chain risk management security is to have a software bill of material (SBOM). See e.g. https://www.cisa.gov/sbom

Currently, rke2 brings in a lot of 3rd party libraries and containers but doesn't provide a SBOM (at least none I am aware of)

Describe the solution you'd like rke2 should integrate in its build process a mechanism to generate an SBOM.

Describe alternatives you've considered None. Determining this after the fact from the binaries is almost impossible :-(

Additional context PR https://github.com/rancher/rke2/issues/498 was closed, referencing https://github.com/rancher/ecm-distro-tools/pull/41 which was also closed, mentioning that it will be solved as a byproduct of the SLSA work with RFed, but no visible outcome mentioned.

Currently, I couldn't find an issue (or PR) tackling the support for the SBOM besides the two mentioned above.

ataraxus commented 11 months ago

I was thinking this would be somewhat a requirement for govermental usage ^^ anyone generating it by themselfs?

A CycloneDX SBOM would be highly appreciated!

xramsys commented 7 months ago

Agreed -- I'm interested in an SBOM too, in any format interpretable by GUAC. We're beginning to inquire about SBOMs for all new software projects and license renewals, with the goal of requiring them within a year or two. Given it's part of the requirements that gov't is supposed to be looking for and RKE2 is aimed at gov't use, it should be somewhere in the pipeline, right?

There are plenty of options out there that will build it as part of the CD pipeline, so it should be fairly set-it-and-forget-it (as much as any of these things are).