You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: text/0000-sbom.md
+18
Original file line number
Diff line number
Diff line change
@@ -64,6 +64,23 @@ The motivation for supporting multiple SBOM formats is because there is currentl
64
64
Currently the SBOM is defined in the `<layer>.toml`, `launch.toml` and `build.toml` respectively under the `[bom]` table.
65
65
It may not be the most user-friendly way for buildpack authors to create SBOM documents in the above format. This RFC proposes that the `bom` be moved to `<layer>.bom.<ext>`, `launch.bom.<ext>` and `build.bom.<ext>` instead where `<ext>` will be `cdx.json` for CycloneDX documents and `spdx.json` for SPDX documents. A buildpack can also output the `bom` in multiple formats i.e. both CycloneDX and SPDX.
66
66
67
+
Additionally the buildpack must also indicate the SBOM format(s) it exports using the in its `buildapck.toml`'s `sbom` key in the `buildpacks` table.
68
+
69
+
The format of this key should look like -
70
+
71
+
```toml
72
+
api = "0.x"
73
+
74
+
[buildpack]
75
+
id = "<buildpack ID>"
76
+
name = "<buildpack name>"
77
+
# This can be an array of supported SBOM formats by the buildpack.
78
+
# Valid array values are "CycloneDX" and "SPDX" as of this RFC.
79
+
sbom = ["CycloneDX"]
80
+
```
81
+
82
+
This information can be displayed on the registry and `pack inspect-buildpack`.
83
+
67
84
The lifecycle of the respective `bom` files during rebuilds would be exactly the same as the `bom` table currently.
68
85
69
86
The lifecycle would be responsible for taking all of the above `bom` files, and putting them in `/layers/config/sbom/<buildpack-id>/<layer-id>/<type>.bom.<ext>` for the layer `bom` files where `type` call be `build` or `launch` or `both`. Buildpack level BOM files will reside at `/layers/config/sbom/<buildpack-id>/build.bom.<ext>` and `/layers/config/sbom/<buildpack-id>/launch.bom.<ext>` for the `launch` and `build``bom` respectively.
@@ -74,6 +91,7 @@ Merging different formats (CycloneDX/SPDX/Legacy CNB format) is a non-goal and w
74
91
75
92
Since we will be preserving the original output files and if a buildpack chooses to output in both SPDX and CycloneDX, the lifecycle may eventually add support for SPDX merging in a future version if merging SPDX documents becomes better defined/efficient.
0 commit comments