-
Notifications
You must be signed in to change notification settings - Fork 891
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add sbom to release assests #5110
Conversation
Signed-off-by: zhzhuang-zju <m17799853869@163.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5110 +/- ##
=======================================
Coverage 28.21% 28.21%
=======================================
Files 632 632
Lines 43556 43556
=======================================
Hits 12291 12291
Misses 30368 30368
Partials 897 897
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @zhzhuang-zju we might need to backport this to release-1.10, so that the latest release could have the sbom. |
/assign |
…5110-upstream-release-1.10 Automated cherry pick of #5110: add sbom to release assests
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
SBOM: A Software Bill of Materials, is an inventory of all of the components that exist within a software resource, such as third-party libraries or modules. SBOMs can identify components that developers integrated directly into an application by importing them into its source code, as well as dependencies (which aren’t a direct part of an application but that are installed or run when the application is deployed).
SPDX: An open standard capable of representing systems with software components in as SBOMs and other AI, data and security references supporting a range of risk management use cases.
I'd like to add sbom to karmada's release assests. It would enhance transparency around the open-source components and dependencies, bolster the security posture of our project, promote responsible software management, and support efficient collaboration and automation in the development lifecycle.
Which issue(s) this PR fixes:
Parts of #5048
Special notes for your reviewer:
The generated sbom content can be referred to https://github.com/zhzhuang-zju/karmada/actions/runs/9722271169/job/26835956739, difficult for humans to read.
We can use some tools to analyze it.
Using
bom document outline
SBOM contents can be rendered too see how the information they contain is structured.Scan SBOM for vulnerabilities
(base) ➜ karmada git:(xxx) ✗ trivy sbom sbom-karmada.spdx 2024-06-29T16:40:05+08:00 INFO Vulnerability scanning is enabled 2024-06-29T16:40:05+08:00 INFO Detected SBOM format format="spdx-tv" 2024-06-29T16:40:05+08:00 INFO Number of language-specific files num=3 2024-06-29T16:40:05+08:00 INFO [gobinary] Detecting vulnerabilities... 2024-06-29T16:40:05+08:00 INFO [gomod] Detecting vulnerabilities... 2024-06-29T16:40:05+08:00 INFO [pip] Detecting vulnerabilities... (gobinary) Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) ┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤ │ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM │ affected │ 2.6.0 │ │ jose-go: improper handling of highly compressed data │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28180 │ └────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘
Does this PR introduce a user-facing change?: