-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] Ability to customize top level metadata #3397
Comments
This is related to: #3098 |
I spoke with @wagoodman about this and we think a reasonable path forward is the following:
We believe that the values provided to configure this package have a moderate likelihood to be dynamic, such as the Some other suggestions for the CLIAdd many unique flags:
Use JSON:
Multiple args:
Something more complicated than the suggestion below:
... my preferred idea is to consolidate based on an object structure to a format like
There will likely be some overlap with the existing name/version options e.g. these may result in predominantly the same thing:
This could also be populated through a YAML configuration such as:
If anyone has some prior art that might help inform the direction here, please let us know! |
What would you like to be added:
Users are looking to create SBOMs that meet the NTIA Minimum Fields requirements. Users typically do this through a two step process.
This second step often requires a lot of custom scripting with
jq
, python or using a tool like sbomasm.This feature request is to include a method to specify user defined top level metadata as options when calling syft or through a configuration file.
The files proposed are ...
Why is this needed:
Most of the fields required for NTIA Minimum Field compliance need to be defined by the creator of the software product and there is no easy way for syft to discover their values. Allowing users to specify these field in a syft call reduces the steps required to create a "complete" SBOM.
Additional context:
This is a recommendation that originates from the CISA SBOM Generation Reference Implementation Tiger Team. Today https://github.com/interlynk-io/sbomasm is being used in the reference implementations.
CC/ @joshbressers
The text was updated successfully, but these errors were encountered: