-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embedding SPDX into binaries #739
Comments
Hi @tofay, good thoughts and good questions. I think this is interesting, and tend to agree that items 1 and particularly 2 from your list are likely to be the major drawbacks to an approach of embedding the document directly in the binary itself. This may not be directly on point, but two prior discussions that might be of interest to you is at #439 and #502. These were about the idea of having a sort of proto-manifest (and in the case of #502 at least, something lighter than SPDX-Lite) in a project or code repo, which could then in theory be auto-generated into a full SPDX document for a recipient of the code. I don't think this directly answers the question you're thinking about, but the discussions in those threads might be relevant as you're thinking about this (even though I believe both of those were idea threads that haven't yet been agreed-upon or fully baked). |
Those linked issues are interesting, thanks. #439 overlaps in particular points desire to standardize the attachment of an SPDX document to a "package" (in that case a directory). I don't think this use case needs a new sub-format though. Could the spdx-spec have a new appendix for attaching/embedding scenarios? That would enable scanning tools to look in specific locations. Relatedly, I also saw that some IANA types are registered for SPDX which can be used to attach SBOMs to OCI artifacts.
Some other concerns:
|
Moving to SPDX 3.1 for consideration. |
Embedding package information into binaries can enable SCA tools and scanners to detect dependencies and check them for vulnerabilities, without needing a separate mechanism to transfer an SBOM.
SPDX, or SPDX Lite, documents could seemingly be embedded into a binary by a producer and detected by scanning tools. Some possible drawbacks:
Are there any reasons that would make SPDX/SPDX Lite an unsuitable format for this use case?
The text was updated successfully, but these errors were encountered: