Skip to content

SBOM: add a OperatingSystem package to each apk SBOM #2016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 26, 2025
Merged

SBOM: add a OperatingSystem package to each apk SBOM #2016

merged 8 commits into from
Jun 26, 2025

Conversation

sil2100
Copy link
Member

@sil2100 sil2100 commented May 30, 2025
edited
Loading

Some CVE scanners, like trivy, might print warnings if OperatingSystem is not defined. Let's define it. But for this, we need access to the os-release file that's on the builder.
No real tests added as I couldn't think of a nice way of testing the runner code.

@sil2100 sil2100 changed the title SBOM: add an OperatingSystem package to each apk SBOM SBOM: add a OperatingSystem package to each apk SBOM May 30, 2025
@sil2100
Add support for the docker runner.
339c09a 
Signed-off-by: Łukasz 'sil2100' Zemczak <[email protected]>
@sil2100 sil2100 marked this pull request as ready for review June 18, 2025 18:37
@sil2100
Make lint happy.
74c4a48 
Signed-off-by: Łukasz 'sil2100' Zemczak <[email protected]>
sergiodj
sergiodj requested changes Jun 18, 2025
View reviewed changes
@sil2100
Copy link
Member Author

sil2100 commented Jun 23, 2025

Created this PR to export the ParseReleaseData chainguard-dev/apko#1721 . Once it's merged, I'll modify the code here and re-submit for review :)

@sil2100
Copy link
Member Author

sil2100 commented Jun 23, 2025

Approved! Let me refactor the code and make everything shiny again.

@sil2100 sil2100 requested a review from sergiodj June 24, 2025 08:59
sergiodj
sergiodj requested changes Jun 24, 2025
View reviewed changes
Copy link
Contributor

@sergiodj sergiodj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is much better now, thanks @sil2100!

Some tests are failing which is blocking the merge, but I think it's just a matter of adjusting expected outputs.

@sil2100
Copy link
Member Author

sil2100 commented Jun 25, 2025

One of the failures demonstrated an actual situation that needed handling. Now it should look better!

@sil2100 sil2100 requested a review from sergiodj June 25, 2025 13:04
@sergiodj
Copy link
Contributor

One of the failures demonstrated an actual situation that needed handling. Now it should look better!

Hm, some tests are still failing :-(.

@sil2100
Copy link
Member Author

sil2100 commented Jun 25, 2025

One of the failures demonstrated an actual situation that needed handling. Now it should look better!

Hm, some tests are still failing :-(.

I think those are unrelated. If you take a look at the failures, they fail due to No rule to make target 'package/logstash-8'. Stop. and similar. It probably needs a different fix, possibly separate PR?

sergiodj
sergiodj approved these changes Jun 26, 2025
View reviewed changes
Copy link
Contributor

@sergiodj sergiodj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @sil2100 !

@sil2100 sil2100 merged commit d15dbc3 into chainguard-dev:main Jun 26, 2025
76 of 81 checks passed
@sil2100 sil2100 deleted the sbom-os branch June 26, 2025 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergiodj sergiodj sergiodj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sil2100 @sergiodj