github-actions[bot]
commented
2 years ago Heads up @dcomas - the "team/security" label was applied to this issue.
Open nancy4dev opened 2 years ago
github-actions[bot]
commented
2 years ago Heads up @dcomas - the "team/security" label was applied to this issue.
camdencheek
commented
2 years ago @nancy4dev Do we need to do anything specific with the SBOM after a release, or just have it available?
bobheadxi
commented
2 years ago I'm not sure what a Software Bill of Materials is exactly, but at a glance it sounds similar to what we have in https://github.com/sourcegraph/sourcegraph/tree/main/third-party-licenses - just FYI that we have this and it (should be) (partially) automatically maintained
nancy4dev
commented
2 years ago @bobheadxi There is a particular format needed for this deliverable as indicated in the "background" portion of the description. This is a government mandate and I link some documentation about it here.
@camdencheek I believe a location to download the SBOM for each release is fine. Let me check with the customer.
bobheadxi
commented
2 years ago There is a particular format needed for this deliverable as indicated in the "background" portion of the description. This is a government mandate and I link some documentation about it here.
Yep I notice the format being different! I'm mostly curious about the content, i.e. if the contents of our licenses is the same and there's no ergonomic way to automatically generate the SBOM it might be possible to create one in the desired format based on the licenses CSVs, and wanted to note that we do have listings of our dependencies!
camdencheek
commented
2 years ago there's no ergonomic way to automatically generate the SBOM
It looks like Beatrix created a script that can be used to generate this automatically. I'll try it out for this release, but then I think the tasks just becomes "integrate this script into the release"
nancy4dev
commented
2 years ago @bobheadxi I believe they use the generated files to run it through a tool on their end to determine if it passes and can be installed in their environment. Here are the files for 3.37: link
camdencheek
commented
2 years ago For version 3.38, I've manually run the SBOM-generating script and added it as an asset to the v3.38.0 release on deploy-sourcegraph. This felt like a good place to put it since it should be easy to automate in the future.
abeatrix
commented
2 years ago FYI i've updated and merged the script here so there shouldn't be any error when running the script 😃
keegancsmith
commented
2 years ago I've attached an SBOM and attached it to the v3.39.0 release
Feature request description
Customer needs an SBOM with every release for security and compliance reasons.
Background: Sourcegraph is to provide the Software Bill of Materials (SBOM) in their preferred format which is cyclonedx. The original ticket was resolved, but this ticket is to have this going forward with every new release.
Solution: The script was created by Beatrix and run on their current release however it will be required for all future releases to allow for upgrades, etc.
Is your feature request related to a problem? If so, please describe.
This is requirement that is needed for compliance with security.
Describe alternatives you've considered.
The only alternative is to do this manually with every release.
Additional context
[Customer] Slack thread 1 Slack Thread 2