Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1777

Attach SBOMs to Container Images

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • shipwright
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Story (Required)

      As a developer trying to package software in containers I want the build process to generate a software bill of materials (SBOM) and attach it to my output container image.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      <Describes the context or background related to this story>

      Many regulated industries require software providers to generate a Software Bill of Materials (SBOM) containing the "ingredients list" of their software. There are many mechanisms to generate SBOMs - some integrated with a build process, others that can generate SBOMs externally (ex: Syft).

      With OCI Referrers, an SBOM can be packaged in an OCI artifact and "attached" to a container image.

      Describe the solution that you would like.

      Allow build strategies to produce an SBOM OCI artifact as output, which Shipwright "attaches" using the OCI Referrers API.

      Describe alternatives you have considered.

      Integrate a tool like Syft into the build process (ex: as part of publishing the output image). Syft's "black box" approach is fundamentally limiting and often does not produce accurate SBOMs. Ideally SBOMs are generated as close to the compilation step as possible.

      Out of scope

      <Defines what is not included in this story>

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              Unassigned Unassigned
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: