You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: text/0000-sbom.md
+11-12
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,6 @@ This RFC proposes the following -
15
15
16
16
- Use of CycloneDX as the SBOM storage format.
17
17
- Moving the SBOM from `<layer>.toml`, `launch.toml` and `build.toml` to a separate file.
18
-
- Enhancements to the platform spec and pack to allow easy interaction with SBOMs including conversion between major SBOM formats.
19
18
20
19
# Definitions
21
20
[definitions]: #definitions
@@ -54,7 +53,6 @@ Having a structured and consistent SBOM that can be consumed by downstream syste
54
53
55
54
- Use of CycloneDX as the SBOM storage format and updates the the specification and lifecycle to reflect the same.
56
55
- Moving the SBOM from `<layer>.toml`, `launch.toml` and `build.toml` to a separate file.
57
-
- Enhancements to the platform spec and `pack` to allow easy interaction with SBOMs including conversion between major SBOM formats.
58
56
59
57
# What it is
60
58
[what-it-is]: #what-it-is
@@ -66,14 +64,16 @@ The above bom documents need to be created in CycloneDX format.
66
64
67
65
The lifecycle of the respective `bom` files during rebuilds would be exactly the same as the `bom` table currently.
68
66
69
-
The lifecycle would be responsible for taking all of the above `bom` files, merging it while tagging it with the originating layer or buildpack the `bom` came from and storing it in `/layers/config/sbom.cdx.json`. This file would also be stored in a layer of its own and the lifecycle would be responsible for storing the layer digest in a label `io.buildpacks.bom.digest`.
70
-
71
-
Platforms like `pack` would be responsible for fetching the `bom` from the above layer and displaying it to the user in a format of their choice via something like `pack inspect-image <image-name> --bom --format=spdx_2_2`.
67
+
The lifecycle would be responsible for taking all of the above `bom` files, merging it while tagging it with the originating layer or buildpack the `bom` came from and storing it in `/layers/config/bom.cdx.json`.
72
68
73
69
# How it Works
74
70
[how-it-works]: #how-it-works
75
71
76
-
TODO
72
+
The lifecycle would be responsible for reading, merging and restoring the appropriate `bom` files. The lifecycle of these `bom` files would be tied to their respectice metadata `toml` files. See [RFC 0087](https://github.com/buildpacks/rfcs/blob/main/text/0087-bom-in-layer-metadata.md#how-it-works) for more details. For merging the `bom` files, the lifecycle could replicate or use tooling from [CycloneDX-cli](https://github.com/CycloneDX/cyclonedx-cli) which has a merge operation. The only additional piece of information that the lifecycle would inject are `CycloneDX`[`metadata`](https://cyclonedx.org/use-cases/#properties--name-value-store) the following property keys -
73
+
74
+
`io.buildpacks.bom.buildpack.id` - Buildpack ID for the buildpack that created the BOM
75
+
`io.buildpacks.bom.type` - Set to `build` or `launch` as applicable.
76
+
`io.buildpacks.bom.layer.name` (Optional) - Set to the name of the layer if the `bom` was associated with a specific layer.
77
77
78
78
# Drawbacks
79
79
[drawbacks]: #drawbacks
@@ -105,15 +105,14 @@ The main reason that the lifecycle needs to have a hard dependency on CycloneDX
105
105
# Unresolved Questions
106
106
[unresolved-questions]: #unresolved-questions
107
107
108
-
-What parts of the design do you expect to be resolved before this gets merged?
109
-
-What parts of the design do you expect to be resolved through implementation of the feature?
110
-
-What related issues do you consider out of scope for this RFC that could be addressed in the future independently of the solution that comes out of this RFC?
108
+
-Implementation details about how the lifecycle should be merging the SBOMs.
109
+
-Moving the SBOM from the `io.buildpacks.build.metadata` label to a file in the output image to avoid large labels
110
+
-Interactions with the stack SBOM and how to represent that and merge it with the Buildpack SBOM.
111
111
112
112
# Spec. Changes (OPTIONAL)
113
113
[spec-changes]: #spec-changes
114
-
Does this RFC entail any proposed changes to the core specifications or extensions? If so, please document changes here.
115
-
Examples of a spec. change might be new lifecycle flags, new `buildpack.toml` fields, new fields in the buildpackage label, etc.
116
-
This section is not intended to be binding, but as discussion of an RFC unfolds, if spec changes are necessary, they should be documented here.
0 commit comments