Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate CycloneDX SBOMs #573

Closed
wants to merge 2 commits into from
Closed

Generate CycloneDX SBOMs #573

wants to merge 2 commits into from

Conversation

imjasonh
Copy link
Member

@imjasonh imjasonh commented Jan 27, 2022
edited
Loading

The heavy lifting is done by cyclonedx libraries recently exported by @nscuro 👏 👏👏

However... I'd love to find a way to get this same functionality without bringing in ~1M new files, which increases the total binary size by 50% (22 MB -> 33 MB).

I'll take a dive through cyclone's dependency graph and see if we can find anything to trim.

But, it works:

$ cosign download sbom $(go run ./ build ./ --sbom=cyclonedx)
2022/01/27 17:00:00 Using base golang:1.17 for github.com/google/ko
2022/01/27 17:00:01 Building github.com/google/ko for linux/amd64
2022/01/27 17:00:08 Publishing gcr.io/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e:latest
...
2022/01/27 17:00:10 Published SBOM gcr.io/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e:sha256-cf4e68ec7e4801d88dc1ba0092a9d20966e354c9eae337ef1f5f961dabb87a83.sbom
...
Found SBOM of media type: application/vnd.cyclonedx
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "version": 1,
  "metadata": {
...

Example output: https://gist.github.com/imjasonh/31002f904a28166c9c8c9b6cedd07d96

TODO:

  • add this to ko deps

@codecov-commenter
Copy link

codecov-commenter commented Jan 27, 2022
edited
Loading

Codecov Report

Merging #573 (61c0c8d) into main (5f733f9) will decrease coverage by 0.21%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #573      +/-   ##
==========================================
- Coverage   48.53%   48.31%   -0.22%     
==========================================
  Files          43       43              
  Lines        2215     2225      +10     
==========================================
  Hits         1075     1075              
- Misses        954      964      +10     
  Partials      186      186
Impacted Files Coverage Δ
pkg/build/gobuild.go 56.68% <0.00%> (-0.58%) ⬇️
pkg/build/options.go 69.38% <0.00%> (-4.53%) ⬇️
pkg/commands/resolver.go 30.41% <0.00%> (-0.29%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5f733f9...61c0c8d. Read the comment docs.

@imjasonh imjasonh marked this pull request as draft January 27, 2022 22:02
@imjasonh imjasonh mentioned this pull request Jan 27, 2022
Closed
@nscuro
Copy link

nscuro commented Feb 5, 2022

However... I'd love to find a way to get this same functionality without bringing in ~1M new files, which increases the total binary size by 50% (22 MB -> 33 MB).

CycloneDX/cyclonedx-gomod#118 is now in main and should allow you to comfortably shave off ~4mb here. I'm expecting the removal of go-git to have big impact as well.

@imjasonh imjasonh mentioned this pull request Feb 9, 2022
Merged
@imjasonh
Copy link
Member Author

We've decided to generate our own basic cyclonedx SBOMs in #587

@imjasonh imjasonh closed this Feb 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imjasonh @codecov-commenter @nscuro