-
Notifications
You must be signed in to change notification settings - Fork 405
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add purls to SPDX sbom #677
Conversation
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit modifies the top level purl in the SPDX sbom to use an oci purl, indicating it describes an image. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Codecov Report
@@ Coverage Diff @@
## main #677 +/- ##
==========================================
- Coverage 51.62% 51.52% -0.10%
==========================================
Files 44 44
Lines 3268 3276 +8
==========================================
+ Hits 1687 1688 +1
- Misses 1371 1377 +6
- Partials 210 211 +1
Continue to review full report at Codecov.
|
This generally LGTM, but can you include an example of what these lines look like in the resulting SBOM? |
Sure thing, this snippet shows the package representing the image and the first dependency (taken from the CI artifacts):
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Thanks!
Very helpful thanks! |
This PR modifies the SPDX sbom output to include purls that add context for external tools to better infer the types of packages described in the document.
Note:
As each sbom is describing the dependencies of the image it is attached to, the purl type is set to
:oci
.This introduces a divergence with the way the CycloneDX sbom expresses its components as the top component is a reference to golang source and not to the image. I think we should change this to express the sboms describe the images, not a go package.
/cc @imjasonh @mattmoor