-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Rake task for building SBOM files #4356
Conversation
Signed-off-by: Hiroshi Hatake <[email protected]>
Signed-off-by: Hiroshi Hatake <[email protected]>
task :sbom do | ||
require 'fluent/version' | ||
version = ENV["SBOM_VERSION"] || Fluent::VERSION | ||
sh "docker sbom fluent/fluentd:v#{version}-debian-amd64-1.0 --output licenses/fluentd-latest.spdx.json --format spdx-json" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it use specific version of sbom plugin?
https://github.com/docker/sbom-cli-plugin
I've locally executed, it seems outcome is bit different.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm just using with sbom subcommand which is included in Docker Desktop 4.24.2 (124339).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the generated SBOM files are not comfortable for y'all, I'll remove the commit 8cb884f from this PR. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Basically, it is good thing to provide SBOM, but I'm not sure it should be managed in fluent/fluentd.
- It may be better place to put SBOM in https://github.com/fluent/fluentd-docker-image
- SBOM just reflect snapshot of container components, not fluentd itself. so, put it under fluentd-docker-image may be better IMHO.
By the way, how about using result of tags?
`curl --silent https://hub.docker.com/v2/namespaces/fluent/repositories/fluentd/tags | jq --raw-output '.results[] | select (.name | startswith("#{version}-debian-amd64-1.")) | .name'`
v1.16.3-debian-amd64-1.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, it's really good. And I agree to put SBOMs in fluent/fluent-docker-image instead of here.
Or, like as pixie, we need to implement SBOM like auto generated files in the future.
https://github.com/pixie-io/pixie/tree/main/tools/licenses
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which issue(s) this PR fixes:
Related to fluent/fluentd-docs-gitbook#481.
What this PR does / why we need it:
To provide machine friendly license information, we should provide SBOM files which is able to handled by Trivy or other security tools.
Currently, two of the SBOM types are existing. One is containing for SPDX license information. The other is CycloneDX format.
This added rake task can be executed as:
$ SBOM_VERSION=1.16.3 bundle exec rake sbom
This is because Fluentd v1.16.3 is diverged from the current master. So, we need to specify that version if we generate its version of SBOM files.
Docs Changes:
Needed but where we should mention it?
Release Note:
Same as a title.