Open goern opened 2 years ago
/priority backlog /lifecycle frozen
/triage needs-information
/remove-label needs-triage
@codificat: The label(s) /remove-label needs-triage
cannot be applied. These labels are supported: community/discussion, community/group-programming, community/maintenance, community/question, deployment_name/ocp4-stage, deployment_name/ocp4-test, deployment_name/moc-prod, hacktoberfest, hacktoberfest-accepted, kind/cleanup, kind/demo, kind/deprecation, kind/documentation, kind/question, sig/advisor, sig/build, sig/cyborgs, sig/devops, sig/documentation, sig/indicators, sig/investigator, sig/knowledge-graph, sig/slo, sig/solvers, thoth/group-programming, thoth/human-intervention-required, thoth/potential-observation, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, triage/accepted, triage/duplicate, triage/needs-information, triage/not-reproducible, triage/unresolved, lifecycle/submission-accepted, lifecycle/submission-rejected
/sig user-experience
Is your feature request related to a problem? Please describe. As a feature to support a more secure software supply chain, Thoth should generate a SBOM, for each advise requested, and build via a Tekton task. #needsRefinement
A SBOM is not a security tool but it is a means to improve security, it can’t guarantee “vulnerability-free” software but can be helpful in fast discovery of CVE.
High-level Goals
SBOM should contain:
Describe the solution you'd like TBD
Describe alternatives you've considered TBD
Additional context We need to figure out how to include/embed/reference SBOM from base operating system (composability)
https://cyclonedx.org/ might be interesting
Acceptance Criteria TBD