imgpkg icon indicating copy to clipboard operation
imgpkg copied to clipboard
verified publisher icon carvel-dev

how to create a sbom for a Bundle

Open DennisDenuto opened this issue 4 years ago • 2 comments

I would like to have insight into what dependencies (+ transitive) / packages / libraries / licenses are being distributed by a Bundle

Having an sbom is a good standard to follow, however generating an sbom for a bundle doesn't capture any of the dependencies brought in by the referenced images. (It isn't clear to me whether it should either, since each image ref would also have its own sbom - this might require some research)

Can we have imgpkg workflow documentation (similar to the airgapped env) that outlines:

  • How to generate an sbom for a bundle
  • What information is captured in a bundle sbom

DennisDenuto avatar Oct 25 '21 15:10 DennisDenuto

Going to accept this issue.

The expected outcome for this story is:

  1. Come up with a workflow that can be used by the users
  2. Create new issues with possible new features needed to create these SBOMs (This might not be a change in imgpkg itself but it could be a script to help automate the process)

joaopapereira avatar Nov 09 '21 15:11 joaopapereira

The generated SBOM could be signed with cosign and added as a signed in-toto attestation to the image. I guess this issue is connected to https://github.com/carvel-dev/imgpkg/issues/269.

ThomasVitale avatar Jan 30 '23 21:01 ThomasVitale