Business Problem:

SBOMs (software bill of materials) have become a crtical artifact when it comes to Container Security as it helps to understand dependencies being used and therefore track their state with regards to updates and more important potential vulnerabilities.

As of today, Red Hat Advanced Cluster Security is missing support for SBOMs while customers looking for the same. It's therefore requested to enhance Red Hat Advanced Cluster Security to provide functionality to generate SBOMs during builds and further store them for regular review and hence reporting purpose. That way, applications can be warned when they have dependencies in use that are vulnerable and policies can be created to prevent affected Images from running.

With that it becomes also crucial that the generated SBOM can be stored with Red Hat Advanced Cluster Security or surounding system while maintaining the reference to the build artifact for regular scanning and reporting purpose.

Use Cases:

Many federal agencies are demanding software providers such as Red Hat to provide Software Bill of Materials (SBOM) as part of their offering to understand details of the software supply chain and speed up vulnerability detection and hence mitigation of the same.

Enterprises around the globe starting to raise similar demand, because of the sofrware being used, because they understand the importance of Software Bill of Materials (SBOM) and also because they may provide software to federal agencies.

So as part of a secure software supply chain, Red Hat Advanced Cluster Security should offer capabilities to generate SBOMs, store them, reference them to the generated artifact and offer regular review of the SBOM to alert if a vulnerability was found and needs to be addressed.

Key Functionality:

It should be possible to generate SBOMs using Red Hat Advanced Cluster Security (likely via roxctl). In addition, SBOMs should be stored within Red Hat Advanced Cluster Security or appropriate location, while maintaining the reference to the artifact they relate too. Further, Red Hat Advanced Cluster Security should provide regular scanning of stored SBOMs to alert when vulnerabilities are found and provide similar mitigation to report on the vulnerability and also allow to block artifacts (Containers) from running based on policies created.

Benefits:

This has become an industry demand and Red Hat Advanced Cluster Security is currently lacking support for SBOMs making it hard to position and justify in the enterprise and field of federal agencies.

Acceptance criteria:

Red Hat Advanced Cluster Security needs to provide full support for SBOMs. Starting from generating SBOMs to storing and scanning them onboard to report on them.

Timeline:

There is high demand for this at existing and potential new customers, which is why this is critical and required it timely mannger