thoth-station / core

Using Artificial Intelligence to analyse and recommend Software Stacks for Artificial Intelligence applications.
https://thoth-station.github.io/
GNU General Public License v3.0
28 stars 25 forks source link

create SBOM for software stack provided #366

Open goern opened 2 years ago

goern commented 2 years ago

Is your feature request related to a problem? Please describe. As a feature to support a more secure software supply chain, Thoth should generate a SBOM, for each advise requested, and build via a Tekton task. #needsRefinement

A SBOM is not a security tool but it is a means to improve security, it can’t guarantee “vulnerability-free” software but can be helpful in fast discovery of CVE.

High-level Goals

SBOM should contain:

Describe the solution you'd like TBD

Describe alternatives you've considered TBD

Additional context We need to figure out how to include/embed/reference SBOM from base operating system (composability)

https://cyclonedx.org/ might be interesting

Acceptance Criteria TBD

goern commented 2 years ago

/priority backlog /lifecycle frozen

codificat commented 2 years ago

/triage needs-information

fridex commented 2 years ago

Related: https://github.com/thoth-station/core/issues/361

codificat commented 2 years ago

/remove-label needs-triage

sesheta commented 2 years ago

@codificat: The label(s) /remove-label needs-triage cannot be applied. These labels are supported: community/discussion, community/group-programming, community/maintenance, community/question, deployment_name/ocp4-stage, deployment_name/ocp4-test, deployment_name/moc-prod, hacktoberfest, hacktoberfest-accepted, kind/cleanup, kind/demo, kind/deprecation, kind/documentation, kind/question, sig/advisor, sig/build, sig/cyborgs, sig/devops, sig/documentation, sig/indicators, sig/investigator, sig/knowledge-graph, sig/slo, sig/solvers, thoth/group-programming, thoth/human-intervention-required, thoth/potential-observation, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, triage/accepted, triage/duplicate, triage/needs-information, triage/not-reproducible, triage/unresolved, lifecycle/submission-accepted, lifecycle/submission-rejected

In response to [this](https://github.com/thoth-station/core/issues/366#issuecomment-1040491356): >/remove-label needs-triage Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
goern commented 2 years ago

/sig user-experience