docs: adding ADR for selection of trivy for the keycloak pipeline #15
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Sbom Generation Tool Selection
Date: 2024-08-09
Status
Proposed
Context
For phase 1, the Tiger Team selected keycloak as a java open source project to create a SBOM for. Since different ecosystems have different support by different tools, we did an un-official
trade study of different SBOM generation tools to decide what was best to use for this first project.
Decision
The tiger team is proposing we use trivy and analyze source of the keycloak project.
This decision is based on the following factors:
Honorable Mentions
Syft
Syft met most of the requirements but ultimated decided against for three reasons.
cyclonedx-maven-plugin
cyclonedx-maven-plugin definitely produced the best "per component" completeness of the NTIA Minimum Elements, but was decided against for two reasons.
pom.xml
files:note: If you only need CycloneDX sboms for a java project, we'd recommend teams investigate this tool.
Consequences
Some information will be harder to enrich later in the SBOM Generation Pipeline.
Specifically: