Skip to content

Implement intermediate SBOM generation and SPDX serialization #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Implement intermediate SBOM generation and SPDX serialization #63

wants to merge 17 commits into from

Conversation

TheGrizzlyDev
Copy link
Collaborator

This change allows a user to create an intermediate sbom format via the sbom target that can later be consumed into a serialized format like SPDX by specialized rules.

Yannic
Yannic reviewed Sep 4, 2025
View reviewed changes
lib/supplychain-go/cmd/spdx/BUILD.bazel
@@ -0,0 +1,23 @@
load("@rules_go//go:def.bzl", "go_binary", "go_library")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put this into //sbom/spdx/generator. I'd like to keep //lib/supplychain-go light and not pull in lots of dependencies for all kinds of sbom formats

Yannic
Yannic reviewed Sep 4, 2025
View reviewed changes
lib/supplychain-go/BUILD

go_library(
name = "supply-chain-go",
name = "supplychain-go",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mind splitting this one out into its own PR?

Also, we should probably add an alias for the old name

Yannic
Yannic reviewed Sep 4, 2025
View reviewed changes
tools/sbom/sbom.bzl
return rule(
_sbom_impl,
attrs = {
"target": attr.label(aspects = [gathering_aspect], doc="The target for which to generate an SBOM."),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From internal experience, this should be label_list

Yannic
Yannic reviewed Sep 4, 2025
View reviewed changes
tools/sbom/sbom.bzl
return gather_metadata_info_common(
target,
ctx,
want_providers = [PackageAttributeInfo, PackageMetadataInfo, LicenseKindInfo],
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do we need AttributeInfo and LicenseKindInfo for? They are referenced in the JSON file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yannic Yannic Yannic left review comments

@mzeren-vmw mzeren-vmw Awaiting requested review from mzeren-vmw

@aiuto aiuto Awaiting requested review from aiuto

@kraev-at-bc kraev-at-bc Awaiting requested review from kraev-at-bc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheGrizzlyDev @Yannic