github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/adr/0004-generate-sboms-with-witness.md

github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/adr/0004-generate-sboms-with-witness.md (about)

     1  # 4. SBOM Generation with Witness
     2  
     3  Date: 2022-03-29
     4  
     5  ## Status
     6  
     7  Accepted
     8  
     9  ## Context
    10  
    11  SBOM are required for software running on government hardware per EO14028.
    12  
    13  ## Decision
    14  
    15  Using Witness' Syft attestor functionality allows Jackal to continue to get more refined SBOM capabilities as Witness' capabilities expand over time. Syft is capable of finding installed packages and some binaries for statically compiled dependencies over each image within a Jackal package. This allows for SBOMs for each image to be generated and packaged along with the Jackal package.  Abilities to export the SBOM to SDPX and CycloneDX formatted documents as well as a browse-able web page are in works.
    16  
    17  ## Consequences
    18  
    19  Added dependencies of Witness and Syft which may inflate Jackal binary size.  Increased Jackal package size -- Jeff noted that uncompressed SBOMs for Big Bang Core came in at around 200MB.