Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include build VCS + env information in SBOMs #674

Open
imjasonh opened this issue Mar 28, 2022 · 3 comments
Open

Include build VCS + env information in SBOMs #674

imjasonh opened this issue Mar 28, 2022 · 3 comments
Labels
lifecycle/frozen sbom Related to generation of SBOMs

Comments

@imjasonh
Copy link
Member

Binaries built using Go 1.18+ have extra info embedded, e.g., for ko itself:

	build	-compiler=gc
	build	CGO_ENABLED=0
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=amd64
	build	GOOS=darwin
	build	GOAMD64=v1
	build	vcs=git
	build	vcs.revision=895cff9823bdde4341ebd3b1893307a42d12e1f4
	build	vcs.time=2022-03-28T13:55:53Z
	build	vcs.modified=true

We should collect this and put it into SPDX and CycloneDX SBOMs.
@imjasonh
Copy link
Member Author

Throwback to #221

@imjasonh
Copy link
Member Author

And #366 -- gosh, I've wanted this for a while. 🙃

@imjasonh imjasonh added the sbom Related to generation of SBOMs label Mar 28, 2022
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen sbom Related to generation of SBOMs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@imjasonh