Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT] PoC implementation of ISO-SBOM #41

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

[DRAFT] PoC implementation of ISO-SBOM #41

wants to merge 8 commits into from

Conversation

KAWAHARA-souta
Copy link
Contributor

This is Draft PR. DO NOT MERGE this PR.

This PR allow us to make ISO-SBOM.
Now we can get cyclonedx-SBOM of dvd-ISO and minimal-ISO.
At present, however, SBOMs can be generated only when the number of packages is explicitly narrowed down, not for all packages included in the ISO.
If individual package-SBOMs cannot be generated for all the packages in the ISO, the ISO-SBOM cannot be generated either.
At this time, I've found some packages for which package-SBOMs cannot be generated, and we plan to fix this in other MR.

Moreover, the following implementations and considerations need to be addressed, and once they are resolved, the draft status is expected to be removed:

  • Implementation for spdx
  • Implementation for boot ISO (If we can, and If we need)
  • Consideration about the contents of ISO-SBOM (now it includes only packages info)
  • Resolve individual package-SBOMs issue & Enable generation of complete ISO-SBOMs
  • other refactors

KAWAHARA-souta and others added 8 commits June 3, 2024 17:25
@KAWAHARA-souta
Fix AlmaLinux#26
738e66d 
Store 'None' if build-related data is empty
@KAWAHARA-souta
Add --rpm-package option
5628fe9 
This patch allows users to create a package SBOM by specifying the
RPM package itself without having to calculate a hash value.

This also allows the SBOM field to be extended since the package
information can be referenced within alma_sbom.
@KAWAHARA-souta
Fix logger in previous commit to apply current logger inplementation.
5e9983d
@KAWAHARA-souta
Add licenses and description fields
657a34f
@kawaharasouta
Merge remote-tracking branch 'remotes/business/fix_incomplete_metadat…
79e8b3e 
…a' into dev_main
@kawaharasouta
Merge remote-tracking branch 'remotes/business/rpm_package_option' in…
b382c16 
…to dev_main
@kawaharasouta
Merge remote-tracking branch 'remotes/business/Add_some_fields' into …
b271af9 
…dev_main
@KAWAHARA-souta
Implement ISO SBOM for cyclonedx
9490442
@KAWAHARA-souta
Copy link
Contributor Author

I was able to create an SBOM for AlmaLinux 9.2 minimal ISO.
If you are interested, please give it a try.

@KAWAHARA-souta KAWAHARA-souta mentioned this pull request Jul 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javihernandez javihernandez Awaiting requested review from javihernandez

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KAWAHARA-souta @kawaharasouta