Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(CLOUDDST-24366) Update description of show-sbom #1463

Merged
merged 1 commit into from
Oct 21, 2024
Merged

feat(CLOUDDST-24366) Update description of show-sbom #1463

merged 1 commit into from
Oct 21, 2024

Conversation

emilyzheng
Copy link
Contributor

@emilyzheng emilyzheng commented Sep 25, 2024
edited
Loading

SPDX format will be supported by build-definitions later. Update description of show-sbom tasks so that they are not limited to CycloneDX.

@emilyzheng
Copy link
Contributor Author

@rcerven @taylormadore could you please review this?

@rcerven
Copy link
Contributor

rcerven commented Oct 10, 2024

@arewm should there be mention about spdx, if we aren't even generating sbom in spdx ?

@arewm
Copy link
Member

arewm commented Oct 10, 2024

The implementation isn't specific to either cyclonedx nor spdx. If we want to change this, I think we should actually remove the wording instead of adding more.

Can SPDX even be attached or does it have to be an attestation? If the latter, then the current task definition won't be able to show the SPDX sbom.

@midnightercz
Copy link

The implementation isn't specific to either cyclonedx nor spdx. If we want to change this, I think we should actually remove the wording instead of adding more.

Can SPDX even be attached or does it have to be an attestation? If the latter, then the current task definition won't be able to show the SPDX sbom.

I thought we already produce sboms in attestations

@emilyzheng
Copy link
Contributor Author

@midnightercz So will spdx sbom be attached like what's done for cyclonedx sbom in upload-sbom? Or buildah tasks will generate it as attestation? I think spdx is supported by cosign attach sbom:

$ cosign attach sbom --help
...
    --type='spdx':
	type of sbom (spdx|cyclonedx|syft)

@midnightercz
Copy link

So I checked and most of the tekton tasks use sbom attach --sbom-type=, where is cyclonedx or spdx based on task paramater

@emilyzheng
feat(CLOUDDST-24366) Update description of show-sbom
d4eab53 
SPDX format will be supported by build-definitions later. Update
description of show-sbom tasks so that they are not limited to CycloneDX.

Signed-off-by: Emily Zheng <[email protected]>
@emilyzheng
Copy link
Contributor Author

@arewm @rcerven I've changed it to not mentioning any sbom type. Could you review again?

arewm
arewm approved these changes Oct 21, 2024
View reviewed changes
Copy link
Member

@arewm arewm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding my prior question

Can SPDX even be attached or does it have to be an attestation? If the latter, then the current task definition won't be able to show the SPDX sbom.

SPDX can be attached. The process using cosign attach isn't specific to a particular SBOM type.

@arewm
Copy link
Member

arewm commented Oct 21, 2024

Merging without CI as this is just a change to the descriptions.

@arewm arewm merged commit 3234271 into konflux-ci:main Oct 21, 2024
1 check was pending
@rh-tap-build-team rh-tap-build-team bot mentioned this pull request Oct 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcerven rcerven rcerven approved these changes

@arewm arewm arewm approved these changes

@taylormadore taylormadore Awaiting requested review from taylormadore

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@emilyzheng @rcerven @arewm @midnightercz