[Rpm-maint] [rpm-software-management/rpm] RFE: store SBOM data in rpm headers? (Issue #2389)
Michael Schroeder
notifications at github.com
Thu Feb 9 14:16:29 UTC 2023
I hope I get this right, because I'm no expert for that topic either.
SBOM is "Software bill of materials". Basically it is a document that describes what exactly is on a product/appliance/container/... There are two standard formats, SPDX and CycloneDX, coming from different directions.
SPDX comes from the license side. It is used so that customers can check the licenses of all the software used in some product. E.g. the automotive folks want to make sure that there is no GPLv3 license included.
CycloneDX comes from the vulnerability side. It is used for checking if a product contains software that has a known vulnerability.
Nowadays, you can use both formats for both purposes (and also convert between the two).
Coming back to rpm: The "License" tag is good enough for the license use case. What's missing is information about the included software. This is important because of the modern trend to do static linking (i.e. golang) or bundling modules.
As an example, the "cosign" tool is written in golang. `go version -m /usr/bin/cosign` contains a list of all "bundled" go modules:
```
...
dep github.com/tjfoc/gmsm v1.3.2
dep github.com/transparency-dev/merkle v0.0.1
dep github.com/vbatts/tar-split v0.11.2
...
```
A SBOM generator would then convert this information into identifiers for those modules. Usually purl urls are used: https://github.com/package-url/purl-spec. The purl urls look like this: `pkg:golang/github.com/Azure/go-autorest/autorest/adal at v0.9.18`
Another example is identifiers for language modules, e.g. python modules. Those can be calculated from the python egg data.
The question was if it would make sense to have a place in the rpm header for those identifiers.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2389#issuecomment-1424259019
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2389/1424259019 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230209/e6634c34/attachment.html>
More information about the Rpm-maint
mailing list