-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate modern sbom formats when releasing etcd #18902
Comments
Hi @idunbarh many thanks for raising this and volunteering. For background we last touched the SBOM process for etcd in #15747 and the process essentially relies on a very antiquated approach to generate the json file https://github.com/etcd-io/etcd/blob/main/bill-of-materials.json. Adopting new cyclonedx and spdx format support is definitely something I would support. We would need to still retain the old json format sbom process in the stable release branches until the next minor release at least in order to not break any existing processes but I am very keen to forge ahead implementing this in cc @ivanvc, @ahrtr, @serathius for any further thoughts on this. /assign @idunbarh |
/retitle Generate modern sbom formats when releasing etcd |
I think this is a great idea. I spoke with @puerco (sig release) regarding this at KubeCon. |
Thanks for raising this discussion. The json format of SPDX seems a better choice to me. The only minor concern is that SBOM-Generation is implemented with Python. It means that we have to get python installed in contributors' dev environment to update SBOM. Alternatives:
|
@ahrtr I'll create both SPDX and CycloneDX since its best to let users choose what works best for them. Its simple to do both. The SBOM-Generation has several different reference implementations that include kubectl with trivy. I'll use syft for this implementation. |
Do you mean https://github.com/anchore/syft? If yes, then looks good to me. |
What would you like to be added?
I'd like to contribute SBOM generation to the release process of this project in both cyclonedx and spdx formats.
I'm part of https://github.com/CISA-SBOM-Community/SBOM-Generation thats building reference implementations for "good" SBOM generation and we thought etcd would be a great candidate.
Why is this needed?
SBOMs are becoming a common part of software releases because they provide insight into what dependencies are used in a project. This allows better vulnerability management.
The text was updated successfully, but these errors were encountered: