govpp icon indicating copy to clipboard operation
govpp copied to clipboard
verified publisher icon FDio

GoVPP Software Bill of Materials Generation

Open dwallacelf opened this issue 1 year ago • 3 comments

Per recommendations by the LF Networking Security Forum on the Security Best Practices Wiki Page, GoVPP releases should include the generation of a Software Bill of Materials in SPDX 2.2 or greater format.

dwallacelf avatar Feb 22 '24 03:02 dwallacelf

Per this blog entry [0], Github incorporates the generation of SPDX formated SBOM json file from the 'Insights->Dependency Graph' page [1] by hitting the "Export SBOM" button.

@ondrej-fabry, given the releases tags provide a convenient URL to retrieve tarballs of the source code, does it make sense to download & check the latest SBOM file into the tree (e.g. RELEASE_SBOM.json) before each release?

[0] https://github.blog/2023-03-28-introducing-self-service-sboms/ [1] https://github.com/FDio/govpp/network/dependencies

dwallacelf avatar Feb 28 '24 21:02 dwallacelf

The procedure for generating SBOMs should be added to the Developer Documentation

dwallacelf avatar Mar 07 '24 14:03 dwallacelf

We could also add this as part of the release process, and upload the generated sboms alongside the release packages

sknat avatar Mar 07 '24 14:03 sknat