[Rpm-maint] [rpm-software-management/rpm] RFE: store SBOM data in rpm headers? (Issue #2389)
Michael Schroeder
notifications at github.com
Wed Feb 8 15:45:50 UTC 2023
I'm currently looking into generating SBOMs for container, and I wonder if someone has already pondered if we want to store SBOM data in an rpm header.
Here's where I come from: SBOM generator tools like "syft" support both querying the systems package database to know what packages are installed and getting data from files present in the system. The later is needed because (at least in the container world) many files are generated by the build process.
So for example, if syft sees a go binary it will extract the buildinfo from it and generate an entry for each module dependency. Those are basically cpe and purl urls. SPDX will store them as "externalRef", CycloneDX has them directly in the component data.
Do we want to make it possible to have this for rpm packages as well? I.e. add one ore more tags to store component identifiers? We would need to store an array of "(type,locator)" tuples.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2389
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2389 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230208/e262b701/attachment.html>
More information about the Rpm-maint
mailing list