Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide Global Mechanism to Disable SBOM Generation #311

Open
dmikusa opened this issue Feb 2, 2024 · 2 comments
Open

Provide Global Mechanism to Disable SBOM Generation #311

dmikusa opened this issue Feb 2, 2024 · 2 comments
Labels
type:enhancement A general enhancement type:poll Request for feedback from the community

Comments

@dmikusa
Copy link
Contributor

dmikusa commented Feb 2, 2024

Describe the Enhancement

Implement RFC 0044 by checking for BP_DISABLE_SBOM as one of the first things in build.go and, if set, return early.

Possible Solution

This needs support in both libpak and libbs. Any point where we generate SBOM information or run syft (or other tools), needs to be aware of the opt-out and should skip generating SBOM information.

In addition, the container needs to be flagged as having opted out of SBOM generation so it's clear this was due to a user request.

Motivation

At the moment, this remains unclear. If you find this issue and it is of interest to you. Please post a comment and include some details about why you'd like this setting, your use case and how it impacts you. If we get enough user interest, we can implement this feature.

@dmikusa dmikusa added type:enhancement A general enhancement type:poll Request for feedback from the community labels Feb 2, 2024
@dmikusa
Copy link
Contributor Author

dmikusa commented May 17, 2024

See paketo-buildpacks/maven#334 for some rationale for implementing this.

@loewenstein
Copy link

See paketo-buildpacks/maven#334 for some rationale for implementing this.

I don't think that the linked issue asks for disabling SBoM globally. The maven cyclonedx plug-in will only be able to provide insights into the the bom of the app. This cannot replace e.g. the libjvm buildpacks to provide the jvm sbom information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:enhancement A general enhancement type:poll Request for feedback from the community
Projects
None yet
Development

No branches or pull requests

2 participants