github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/adr/0009-sbom-more-than-images.md

github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/adr/0009-sbom-more-than-images.md (about)

     1  # 9. SBOM more than images
     2  
     3  Date: 2022-12-13
     4  
     5  ## Status
     6  
     7  Accepted
     8  
     9  ## Context
    10  
    11  Images are not the only way that dependencies can be brought in via a Jackal package (our own init package has two components that are not images yet could have vulnerabilities within them, k3s and the injector).  We should SBOM these in addition to images so that we are providing a more complete picture to our users.
    12  
    13  Potential considerations:
    14  
    15  1. Run Syft against the entire jackal temp build directory
    16      Pros:
    17          - This would provide the most information for what _might_ be in a Jackal package
    18      Cons:
    19          - If git repos are brought in you could catch many index files that are actually not in the package but are dependencies of the repos leading to confusion
    20  
    21  2. Run Syft against files and dataInjections
    22      Pros:
    23          - We know these files are actually inside of the package and won't just be noise
    24          - This is the most common two ways for people to include additional artifacts in packages (we use files in our own init package)
    25      Cons:
    26          - This is only a subset of what Jackal provides and someone could commit an artifact to a git repo for example
    27  
    28  3. Allow user flexibility in what gets SBOMed
    29      Pros:
    30          - This provides the user the most flexibility
    31      Cons:
    32          - This could be complex to get right on implementation and if it were optional may be a forgotten feature by most users
    33  
    34  ## Decision
    35  
    36  It was decided that we would SBOM the files and dataInjections inclusions by component (2) and include them into our SBOM viewer that way.  This will allow us to characterize what SBOMing in Jackal may look like going forward without introducing something that is just optional or that might make too much noise at first blush.
    37  
    38  ## Consequences
    39  
    40  This will allow for more SBOM fidelity on the variety of ways users can bring dependencies into the airgap but will not catch everything.  We will need to closely look at upstream tooling like Syft to see how we can both improve it and use it better within Jackal (the inability to parse .whl files without renaming or unpacking is an example of this, and we may want to disable index parsers in the future so lots of tuning to come).