Adding SBOM file and pointer in README.md

[jkowall]

Signed-off-by: jkowall jkowall@kowall.net

Which problem is this PR solving?

Resolves the lack of SBOM for Jaeger project

Short description of the changes

Added .json and pointer. This is generated from syft via the all-in-one docker image
syft jaegertracing/all-in-one:1.38 -o json > jaeger-sbom.json

This will help us fix gaps in our security setup per : https://clomonitor.io/projects/cncf/jaeger#jaeger_security

[codecov]

Codecov Report

Base: 97.14% // Head: 97.14% // No change to project coverage 👍

Coverage data is based on head (e132b41) compared to base (b4c88dd).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3953   +/-   ##
=======================================
  Coverage   97.14%   97.14%           
=======================================
  Files         295      295           
  Lines       17389    17389           
=======================================
  Hits        16893    16893           
  Misses        399      399           
  Partials       97       97           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[yurishkuro]

Is this a good practice to publish a one-off SBOM? I would think it needs to be produced during the build process and maybe included in the github release page.

[jkowall]

Is this a good practice to publish a one-off SBOM? I would think it needs to be produced during the build process and maybe included in the github release page.

This is what Pixie is doing, but other projects have integrated the syft gh action into their release flow. I was going to do that, but this seemed like an easy fix. An example of a syft integration for a CNCF project is here: https://github.com/artifacthub/hub/blob/master/.github/workflows/release.yml

I am not confident how to test the build process really even after reading the docs, if I can do that on a fork, so I opted for the easy path for the SBOM.

[mmorel-35]

Have you already thought to use https://github.com/CycloneDX/gh-gomod-generate-sbom ?
Gosec is already using it, if you want an example, please have a look here : https://github.com/securego/gosec/blob/6cd9e6289db3ae9a81f9d0a4f6f7aacb4bca4410/.github/workflows/release.yml#L39-L43

[yurishkuro]

@jkowall the full build of binaries is just running a shell script, it can be tested locally. Uploading the file to release is probably harder to test from a fork, but that's done by a GH action and you just need to add the glob for the file (see .github/workflows/ci-release.yml)

[mmorel-35]

If you want to take a look, I tried it here : https://github.com/mmorel-35/jaeger/actions/runs/3207214623

[jkowall]

@mmorel-35 Feel free to contribute you know the GH actions better than I do :)

[mmorel-35]

Hi @jkowall !
I did it here #3956

[jkowall]

This PR should fix up several items around #3943