Skip to content

Commit

Permalink
Add sbom format to buildpacks toml
Browse files Browse the repository at this point in the history 
Signed-off-by: Sambhav Kothari <[email protected]>
  • Loading branch information
@sambhav
sambhav committed Sep 22, 2021
1 parent 1fe273b commit a6a0561
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions text/0000-sbom.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,23 @@ The motivation for supporting multiple SBOM formats is because there is currentl
Currently the SBOM is defined in the `<layer>.toml`, `launch.toml` and `build.toml` respectively under the `[bom]` table.
It may not be the most user-friendly way for buildpack authors to create SBOM documents in the above format. This RFC proposes that the `bom` be moved to `<layer>.bom.<ext>`, `launch.bom.<ext>` and `build.bom.<ext>` instead where `<ext>` will be `cdx.json` for CycloneDX documents and `spdx.json` for SPDX documents. A buildpack can also output the `bom` in multiple formats i.e. both CycloneDX and SPDX.

Additionally the buildpack must also indicate the SBOM format(s) it exports using the in its `buildapck.toml`'s `sbom` key in the `buildpacks` table.

The format of this key should look like -

```toml
api = "0.x"

[buildpack]
id = "<buildpack ID>"
name = "<buildpack name>"
# This can be an array of supported SBOM formats by the buildpack.
# Valid array values are "CycloneDX" and "SPDX" as of this RFC.
sbom = ["CycloneDX"]
```

This information can be displayed on the registry and `pack inspect-buildpack`.

The lifecycle of the respective `bom` files during rebuilds would be exactly the same as the `bom` table currently.

The lifecycle would be responsible for taking all of the above `bom` files, and putting them in `/layers/config/sbom/<buildpack-id>/<layer-id>/<type>.bom.<ext>` for the layer `bom` files where `type` call be `build` or `launch` or `both`. Buildpack level BOM files will reside at `/layers/config/sbom/<buildpack-id>/build.bom.<ext>` and `/layers/config/sbom/<buildpack-id>/launch.bom.<ext>` for the `launch` and `build` `bom` respectively.
Expand All @@ -74,6 +91,7 @@ Merging different formats (CycloneDX/SPDX/Legacy CNB format) is a non-goal and w

Since we will be preserving the original output files and if a buildpack chooses to output in both SPDX and CycloneDX, the lifecycle may eventually add support for SPDX merging in a future version if merging SPDX documents becomes better defined/efficient.


# How it Works
[how-it-works]: #how-it-works

Expand Down

0 comments on commit a6a0561

Please sign in to comment.