rpm-ostree: support generating SPDX SBOMs #1826

chmeliik · 2025-01-15T11:54:46Z

Add an SBOM_TYPE parameter, defaulting to 'cyclonedx' for now. This
parameter determines the format of the Syft-generated SBOM. This must
match the format of the SBOM coming from the prefetch task (if any),
otherwise the SBOM merging will fail.

Depends on #1798 and a subsequent Renovate update (the current revision of the sbom-utility-scripts image doesn't include the SPDX support yet)

Add an SBOM_TYPE parameter, defaulting to 'cyclonedx' for now. This parameter determines the format of the Syft-generated SBOM. This must match the format of the SBOM coming from the prefetch task (if any), otherwise the SBOM merging will fail. Signed-off-by: Adam Cmiel <acmiel@redhat.com>

The script has been renamed from merge_cachi2_sboms to merge_sboms. The container image still provides the merge_cachi2_sboms alias for backwards compatibility, but switch to the the new name for better future-proofing. The script now also allows specifying the "flavor" of each SBOM on the command line - do this explicitly instead of relying on the legacy behavior of left=cachi2, right=syft. Signed-off-by: Adam Cmiel <acmiel@redhat.com>

chmeliik added 2 commits January 15, 2025 10:53

chmeliik mentioned this pull request Jan 15, 2025

Rpm ostree spdx #1537

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rpm-ostree: support generating SPDX SBOMs #1826

rpm-ostree: support generating SPDX SBOMs #1826

chmeliik commented Jan 15, 2025

rpm-ostree: support generating SPDX SBOMs #1826

Are you sure you want to change the base?

rpm-ostree: support generating SPDX SBOMs #1826

Conversation

chmeliik commented Jan 15, 2025