Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removes metadata.timestamp and serialNumber fields from generates CycloneDX JSON #143

Merged
merged 1 commit into from
May 6, 2022
Merged

Removes metadata.timestamp and serialNumber fields from generates CycloneDX JSON #143

merged 1 commit into from
May 6, 2022

Conversation

dmikusa
Copy link
Contributor

@dmikusa dmikusa commented May 5, 2022

Summary

These two properties generate unique values every time syft runs, thus they break reproducible builds (a scan runs on each build, so two different builds of the same application source/buildpacks/builder will result in two different CycloneDX JSON files and thus two different images).

This fix is to manually read the generated CycloneDX file, parse the JSON, remove the two fields and write the JSON back out. This should be OK as the CycloneDX spec says that the fields are optional: https://cyclonedx.org/docs/1.3/json/.

Use Cases

  • Reproducible builds.

Checklist

  • I have viewed, signed, and submitted the Contributor License Agreement.
  • I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
  • I have added an integration test, if necessary.
  • I have reviewed the styleguide for guidance on my code quality.
  • I'm happy with the commit history on this PR (I have rebased/squashed as needed).

Removes metadata.timestamp and serialNumber fields from generates…
9395235 
… CycloneDX JSON

These two properties generate unique values every time syft runs, thus they break reproducible builds (a scan runs on each build, so two different builds of the same application source/buildpacks/builder will result in two different CycloneDX JSON files and thus two different images).

This fix is to manually read the generated CycloneDX file, parse the JSON, remove the two fields and write the JSON back out. This should be OK as the CycloneDX spec says that the fields are optional: https://cyclonedx.org/docs/1.3/json/.

Signed-off-by: Daniel Mikusa <dmikusa@vmware.com>
@dmikusa dmikusa added type:bug A general bug semver:patch A change requiring a patch version bump labels May 5, 2022
@dmikusa dmikusa requested a review from a team May 5, 2022 17:29
@dmikusa dmikusa merged commit a529d07 into main May 6, 2022
@dmikusa dmikusa deleted the sbom_reprod branch May 6, 2022 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pivotal-david-osullivan pivotal-david-osullivan pivotal-david-osullivan approved these changes

Assignees
No one assigned
Labels
semver:patch A change requiring a patch version bump type:bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dmikusa @pivotal-david-osullivan