Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Platform support for sBOM #268

Merged
merged 10 commits into from
Nov 18, 2021
Merged

Platform support for sBOM #268

merged 10 commits into from
Nov 18, 2021

Conversation

natalieparellano
Copy link
Member

This should be pointed to platform/0.8 but that branch doesn't exist yet...

@natalieparellano natalieparellano requested a review from a team as a code owner November 3, 2021 18:11
@natalieparellano
Platform support for sBOM
7078e56 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
@hone hone linked an issue Nov 3, 2021 that may be closed by this pull request
[RFC 0095] SBOM #256
Closed
@natalieparellano
Add more detail
7d5d953 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
@natalieparellano
Fix
9180211 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
jromero
jromero reviewed Nov 9, 2021
View reviewed changes
platform.md Outdated Show resolved Hide resolved
platform.md Outdated Show resolved Hide resolved
platform.md Outdated Show resolved Hide resolved
platform.md Outdated Show resolved Hide resolved
@natalieparellano
Add bom.sha to where
4f6a803 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
@natalieparellano
Replace sBOM -> BOM to avoid confusion
6efa274 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
sambhav
sambhav reviewed Nov 10, 2021
View reviewed changes
platform.md Outdated Show resolved Hide resolved
platform.md Outdated Show resolved Hide resolved
platform.md Outdated Show resolved Hide resolved
platform.md Outdated
@@ -566,6 +567,10 @@ Usage:
- All run-image layers SHALL be preserved
- All run-image config values SHALL be preserved unless this conflicts with another requirement
- MUST contain all buildpack-provided launch layers as determined by the [Buildpack Interface Specfication](buildpack.md)
- MUST contain a layer containing all buildpack-provided standardized Bill of Materials (BOM) files for `launch` as determined by the [Buildpack Interface Specfication](buildpack.md)
- `<layers>/BOM/<buildpack-id>/launch.bom.<ext>` MUST contain the buildpack-provided `launch` BOM
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that this would cause issues if a buildpack with buildpack id bom exists? (We currently allow such buildpack ids)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The buildpack would need id sbom, but yes

platform.md Outdated
@@ -1123,8 +1137,9 @@ Where:
Where:
- `app` MUST contain one entry per app slice layer where
- `sha` MUST contain the digest of the uncompressed layer
- `config.sha` MUST the digest of the uncompressed layer containing launcher config
- `launcher.sha` MUST the digest of the uncompressed layer containing the launcher binary
- `bom.sha` MUST contain the digest of the uncompressed layer containing buildpack-provided standardized Bill of Materials
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we keeping this in lifecycle metadata or moving it to its own key?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per sub sync discussion, we plan to leave the sha in lifecycle metadata for now. In the future, we may duplicate this information in a new label.

@natalieparellano
Use SBOM everywhere
0e69465 
Also clarify that `bom` usage is for legacy buildpacks

Signed-off-by: Natalie Arellano <narellano@vmware.com>
@natalieparellano
Clarify that sbom files MUST be included only if they are present
cf67713 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
@natalieparellano
Fix
44173d4 
Signed-off-by: Natalie Arellano <narellano@vmware.com>
@natalieparellano natalieparellano changed the base branch from platform/0.7 to platform/0.8 November 10, 2021 20:35
aemengo
aemengo suggested changes Nov 11, 2021
View reviewed changes
platform.md Outdated Show resolved Hide resolved
platform.md Outdated Show resolved Hide resolved
natalieparellano and others added 2 commits November 16, 2021 16:44
@natalieparellano @aemengo
Update platform.md
aaa04ac 
Signed-off-by: Natalie Arellano <narellano@vmware.com>

Co-authored-by: Anthony Emengo <anthonyemengojr@gmail.com>
@natalieparellano @aemengo
Update platform.md
50bb6cd 
Signed-off-by: Natalie Arellano <narellano@vmware.com>

Co-authored-by: Anthony Emengo <anthonyemengojr@gmail.com>
@jkutner jkutner merged commit f12c2c0 into platform/0.8 Nov 18, 2021
@jkutner jkutner deleted the sbom-platform branch November 18, 2021 16:23
@natalieparellano natalieparellano mentioned this pull request Nov 19, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aemengo aemengo aemengo requested changes

@jkutner jkutner jkutner approved these changes

@nebhale nebhale nebhale approved these changes

@jromero jromero jromero approved these changes

@sclevine sclevine sclevine approved these changes

@sambhav sambhav sambhav approved these changes

@jabrown85 jabrown85 Awaiting requested review from jabrown85

@hone hone Awaiting requested review from hone

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[RFC 0095] SBOM
7 participants
@natalieparellano @jkutner @nebhale @jromero @sclevine @aemengo @sambhav