Add support for a structured SBOM #162
Assignees
Comments
|
Assigning this to myself for now. If I don't get to it within the next week, we can open this up with a "help wanted" tag. |
|
Fixed with #166 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently since container images built by CNB don't follow a generic file system layout, they are not easily scannable by container scanning tools. We do however provide a BOM which should greatly help sidestep the entire manual scanning process and speed up things like CVE detection by directly providing the CVE scanner with a BOM.
However, since we currently do not impose any standard for what the BOM should look like and since the metadata table in BOM is a freeform table, it is very hard to have consistent BOMs that can be used by CVE scanners.
There are various standards for specifying a SBOM (Software bill of materials). The primary ones include
It might be worth investigating all these formats as a standard recommendation for BOM.
Creating this issue to track the creation of an RFC for this.
From current investigation in buildpacks/community#82, cyclonedx seems to be the front-runner in terms of tooling. We do however want interoperability with SPDX which cyclone dx also seems to provide.
The text was updated successfully, but these errors were encountered: