-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve SBOM storage/format #3068
Comments
Currently Zarf has prioritized an agnostic format for SBOMs to capture the maximum amount of data that Syft (the tool Zarf uses under the hood) can give Zarf. The Syft JSON files can be downconverted to other formats and conversion is covered in the latter half of this docs section: https://docs.zarf.dev/ref/sboms/#extracting-a-packages-sbom |
For the tooling/version used are you looking to see Zarf or Syft? As of v0.41.0, the Syft json has |
Thanks guys, the Syft JSON makes sense. I'm sold.
I think I'd expect to see Syft, but maybe this is not so important afterall. I'm still looking into it but maybe all that matters is the schema version. I need to see if different
I see these fields, but Zarf is failing to populate Another thing I discovered today is that Zarf is not preserving the original manifest digests in the generated SBOM. Here is the diff between the |
Describe what should be investigated or refactored
Currently the
sboms.tar
layer contains both JSON documents and generated HTML for an "SBOM viewer" page for each of the images in the Zarf package. The current approach has several downsides:For comparison, compressed tarballs that contain only the JSON documents are <10x the size:
Proposed solution
The text was updated successfully, but these errors were encountered: