Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement RFC0038 Amendment: Reproducible CycloneDX SBOMs #367

Closed
fg-j opened this issue Aug 2, 2022 · 0 comments · Fixed by #369
Closed

Implement RFC0038 Amendment: Reproducible CycloneDX SBOMs #367

fg-j opened this issue Aug 2, 2022 · 0 comments · Fixed by #369
Assignees
@ForestEckhardt

Comments

@fg-j
Copy link

fg-j commented Aug 2, 2022

Describe the Enhancement

Now that paketo-buildpacks/rfcs#220 has been approved and merged, we should make changes to the CycloneDX SBOM implementation so that CycloneDX JSON v1.3 and v1.4 SBOMs generated by Paketo buildpacks are reproducible. This means omitting the metadata.timestamp and serialNumber fields from the SBOM output.

Both CycloneDX 1.3 and 1.4 SBOMs should be reproducible.

Possible Solution

  • Modify the sbom.FormattedReader.Read() function to edit the CycloneDX JSON after it's generated and/or
  • Modify the cyclonedx13 sbom.Format.Encode() implementation so that it doesn't include the non-reproducible fields in the generated SBOM struct.

Motivation

If SBOMs are not reproducible, they make buildpack-built images non-reproducible. Buildpack users and buildpack authors using packit shouldn't compromise build reproducibility just to get image SBOMs.
@fg-j fg-j moved this to ❓Not scoped in Paketo Workstreams Aug 2, 2022
@fg-j fg-j moved this from ❓Not scoped to 📝 Todo in Paketo Workstreams Aug 2, 2022
@ryanmoran ryanmoran moved this to 📋 Planned in Paketo Roadmap 2022 Aug 2, 2022
@ForestEckhardt ForestEckhardt moved this from 📝 Todo to 🚧 In Progress in Paketo Workstreams Aug 2, 2022
@ForestEckhardt ForestEckhardt self-assigned this Aug 2, 2022
@ForestEckhardt ForestEckhardt mentioned this issue Aug 2, 2022
Merged
5 tasks
@ForestEckhardt ForestEckhardt moved this from 🚧 In Progress to 📨 PR Opened in Paketo Workstreams Aug 2, 2022
@ForestEckhardt ForestEckhardt moved this from 📋 Planned to 🚧 In Progress in Paketo Roadmap 2022 Aug 2, 2022
@fg-j fg-j mentioned this issue Aug 2, 2022
Closed
8 tasks
Repository owner moved this from 📨 PR Opened to ✅ Done in Paketo Workstreams Aug 3, 2022
Repository owner moved this from 🚧 In Progress to ✅ Done in Paketo Roadmap 2022 Aug 3, 2022
This was referenced Aug 3, 2022
Closed
Closed
This was referenced Aug 3, 2022
Closed
Closed
@joshuatcasey joshuatcasey mentioned this issue Aug 8, 2022
Open
This was referenced Aug 8, 2022
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ForestEckhardt ForestEckhardt

Labels
None yet
Projects
Paketo Workstreams
Archived in project
Paketo Roadmap 2022
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Makes CycloneDX SBOM Reproducible paketo-buildpacks/packit
2 participants
@ForestEckhardt @fg-j