Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish SBOMs for the artifacts we produce #185

Open
skitt opened this issue Apr 27, 2023 · 2 comments
Open

Publish SBOMs for the artifacts we produce #185

skitt opened this issue Apr 27, 2023 · 2 comments
Assignees
@dfarrell07
Labels
enhancement New feature or request priority:high size:large

Comments

@skitt
Copy link
Member

skitt commented Apr 27, 2023

What would you like to be added:

Publish SBOMs alongside our release artifacts (container images, subctl binaries etc.).

Why is this needed:

This allows end-users to accurately determine the contents of our release artifacts. It might be possible to use krel to help with this; see this KubeCon presentation for details.
@skitt skitt added the enhancement New feature or request label Apr 27, 2023
@dfarrell07
Copy link
Member

It looks like the relevant KubeCon recording isn't uploaded yet, but when it is it'll be here: https://www.youtube.com/playlist?list=PLj6h78yzYM2PR4KLskmLmNU20VtEnUMlw

@dfarrell07
Copy link
Member

dfarrell07 commented Apr 27, 2023
edited
Loading

Newer versions of Buildx have a SBOM feature that looks cool. It seems like it'll capture software used during the build process even if it's not in the final container build, which I don't know how we could achieve otherwise.

https://github.com/docker/buildx/releases/tag/v0.10.0
https://github.com/moby/buildkit/blob/v0.11.0/docs/attestations/sbom.md

It can also create attestations about the build process and environment:

https://github.com/moby/buildkit/blob/v0.11.0/docs/attestations/slsa-provenance.md

dfarrell07 added a commit to dfarrell07/shipyard that referenced this issue Apr 27, 2023
@dfarrell07
Update buildx to 0.10.4, adds SBOM support
cbdf23b 
The 0.10.x releases of buildx add support for creating Software Bill of
Materials during the build process. It seems like they can even capture
software used during the build that doesn't make it into the final
container.

This may support submariner-io/enhancements#185.

Signed-off-by: Daniel Farrell <[email protected]>
@dfarrell07 dfarrell07 mentioned this issue Apr 27, 2023
Merged
tpantelis pushed a commit to submariner-io/shipyard that referenced this issue Apr 28, 2023
@dfarrell07 @tpantelis
Update buildx to 0.10.4, adds SBOM support
0ecda3b 
The 0.10.x releases of buildx add support for creating Software Bill of
Materials during the build process. It seems like they can even capture
software used during the build that doesn't make it into the final
container.

This may support submariner-io/enhancements#185.

Signed-off-by: Daniel Farrell <[email protected]>
@dfarrell07 dfarrell07 moved this to Todo in Submariner 0.16 May 9, 2023
@Jaanki Jaanki moved this from Todo to Schedule and Epics in Submariner 0.17 Oct 4, 2023
@maayanf24 maayanf24 added this to Backlog Jul 2, 2024
@maayanf24 maayanf24 moved this to Backlog in Backlog Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dfarrell07 dfarrell07

Labels
enhancement New feature or request priority:high size:large
Projects
Backlog
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dfarrell07 @skitt @Jaanki @tpantelis @maayanf24