Add sbom generation tooling (#2232)#106
Add sbom generation tooling (#2232)#106Lukasz-Juranek wants to merge 2 commits intoeclipse-score:mainfrom
Conversation
|
@Lukasz-Juranek this looks interesting! Can you describe a little why we need custom code? No native bazel support etc. |
|
Hi right now i'm not aware of any out of box support for bazel that would really cover all c++ imports and rust code. But IMO tooling itself is not important that much, this can be replaced later on with anything What is important is to start getting the SBOM data for 3rd party dependencies in any meaningful format when there is not much deps, and to build in SCORE developers this behavior that when you import some stuff to your project you think about SBOM. If SBOM data will be available then you can do conversion to some mature solution. |
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
from
ffca1f1 to
e308870
Compare
|
Updated PR according discussion that we had https://github.com/orgs/eclipse-score/discussions/2226#discussioncomment-15669973 Now manual generation of is removed , sbom data is generated via
Added mandatory fields from
For details see updated readme https://github.com/Lukasz-Juranek/score-tooling/blob/e3088700d55e5b70c6b36b7730c1471ad3693cf5/sbom/SBOM_Readme.md @masc2023 you asked for list of tools here it is https://github.com/Lukasz-Juranek/score-tooling/blob/e3088700d55e5b70c6b36b7730c1471ad3693cf5/sbom/SBOM_Readme.md#core-tools |
2 participants
This PR adds basic sbom bazel rules for details see
https://github.com/Lukasz-Juranek/score-tooling/blob/e3088700d55e5b70c6b36b7730c1471ad3693cf5/sbom/SBOM_Readme.md
Here are generated SBOMs for reference_integration targets:
sbom_kyron.cdx.json
sbom_kyron.spdx.json
sbom_orch_per.cdx.json
sbom_orch_per.spdx.json
Here is SBOM target definition: eclipse-score/reference_integration#83
Sbom is automatically generated no modiffications are needed for SCORE
This is not full solution but rather sth to begin with.
Happy to discuss this in details.