SBOM and Manifest Interoperability Tooling
Discussion That Might Result in a New Project Idea
Problem Statement (i.e. problem you wan to solve):
The industry is moving to release Software Bill Of Materials (SBOMs) for Software Supply Chain Management. There is discussion around this for BB and a similar discussion may already be happening for IB.
This issue is to capture the need for P1 guidance, and determine if there needs to be tooling to support.
Description:
Looking for general guidance from BBTOC on:
- What SBOM standard we should standardize on
- SPDX or CycloneDX
- Where SBOMs should be stored
- Gitlab generic repository?
- OCI artifact?
- How are SBOMs going to be discovered
- links in gitlab releases?
- labels on container images?
Based on the discussion above, what tooling is required? I'm working on some tooling to transfer dependencies to an airgap network. Similar functionality is probably planned for zarf.
References:
- https://repo1.dso.mil/groups/platform-one/big-bang/-/epics/121
- #15 (closed)
- https://github.com/defenseunicorns/zarf/issues/22
Initial Members:
- Ian Dunbar-Hall @idunbarh
Edited by Ian Dunbar-Hall