Skip to content

Add an OperatingSystem package to our image SBOMs #1690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sil2100 merged 4 commits into from
May 29, 2025
Merged

Add an OperatingSystem package to our image SBOMs #1690

sil2100 merged 4 commits into from
May 29, 2025

Conversation

@sil2100
Copy link
Member

@sil2100 sil2100 commented May 28, 2025

We are missing some information in our image SBOMs that cause trivy to generate warnings. The missing piece is a package declaring what operating system our images are using.

sil2100 added 2 commits May 28, 2025 18:31
@sil2100
Add an OperatingSystem package to our image SBOMs
490c632 
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
@sil2100
Adjust tests, do not add to documentDescribes for now.
a49e8c1 
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
@sil2100 sil2100 marked this pull request as ready for review May 28, 2025 16:54
xnox
xnox reviewed May 28, 2025
View reviewed changes
xnox
xnox reviewed May 28, 2025
View reviewed changes
@sil2100
Use SPDXRef-OperatingSystem- instead of Package-
2917914 
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
xnox
xnox previously requested changes May 28, 2025
View reviewed changes
@sil2100
Fix build test cases.
33d3934 
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
@sil2100
Copy link
Member Author

sil2100 commented May 28, 2025

Ok, remaining failures:

  • build-all-examples seems to be unrelated to this change - looks like apk issues?
  • build-nginx-all-arches seems to be the - and _ thing

@sil2100 sil2100 enabled auto-merge (squash) May 29, 2025 08:09
@sil2100
Copy link
Member Author

sil2100 commented May 29, 2025

Tested against a locally built image: the sbom seems to be correct and trivy seems to be happy with it. Ship it!

javacruft
javacruft approved these changes May 29, 2025
View reviewed changes
Copy link
Contributor

@javacruft javacruft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previous discussion on this PR is now resolved so 👍

@sil2100 sil2100 dismissed xnox’s stale review May 29, 2025 09:09

All mentioned issues were valid and have been resolved. Thanks!

@sil2100 sil2100 merged commit 914a574 into chainguard-dev:main May 29, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xnox xnox xnox left review comments

@javacruft javacruft javacruft approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sil2100 @xnox @javacruft