fluentd-docs-gitbook icon indicating copy to clipboard operation
fluentd-docs-gitbook copied to clipboard
verified publisher icon fluent

Create the official link of version of software bill of materials of Fluentd

Open cosmo0920 opened this issue 2 years ago • 3 comments

Describe the bug

For creating a document which is related to the security contexts, we have to present the software bill of materials. Without this type of documents, the newbies, who wants to grasp security aspects, didn't get understand about it.

ref: https://edu.chainguard.dev/open-source/sbom/what-makes-a-good-sbom/

Link to the problematic documentation

None. There is no articles for it.

Expected explanation

This SBOM receipt can be generated by docker sbom easily for now.

ref: https://docs.docker.com/engine/sbom/

The description of software bill of material is: https://www.ntia.gov/files/ntia/publications/howto_guide_for_sbom_generation_v1.pdf

Additional context

Currently, the SBOM files can be created by:

#!/bin/bash
set -eu

FLUENTD_IMAGE="fluent/fluentd:v1.16.3-debian-amd64-1.0"

docker sbom "$FLUENTD_IMAGE" --output /tmp/"$FLUENTD_IMAGE.spdx.json" --format spdx-json
docker sbom "$FLUENTD_IMAGE" --output /tmp/"$FLUENTD_IMAGE.cyclonedx.json" --format cyclonedx-json

cosmo0920 avatar Dec 04 '23 02:12 cosmo0920

@Nihal-Rahman If you need to add more discussion and requirements, could you add your requirements here, please?

cosmo0920 avatar Dec 04 '23 02:12 cosmo0920

Hi Hiroshi besides the SBOM and any further feedback from other mainters, I don't believe we have any further documents required. The OpenSFF mentioned in our discussion on github is a security standard met by Fluentd correct?

Nihal-Rahman avatar Dec 04 '23 04:12 Nihal-Rahman

Yes. Fluentd fulfilled security standard which should be mentioned from OpenSSF.

cosmo0920 avatar Dec 04 '23 04:12 cosmo0920