feat(docker): Add rebar3_sbom for Erlang SBOM generation #2
Conversation
|
|
||
| RUN mkdir -p $BOMBOM_HOME/bin \ | ||
| && curl -L https://github.com/stritzinger/bombom/releases/download/${BOMBOM_VERSION}/bombom.bin -o $BOMBOM_HOME/bin/bombom \ | ||
| && chmod a+x $BOMBOM_HOME/bin/bombom |
There was a problem hiding this comment.
We need some mechanism to verify authenticity. Something like SLSA via cosign or just a shasum.
Dockerfile
Outdated
| ENV BOMBOM_HOME=/opt/bombom | ||
|
|
||
| RUN mkdir -p $BOMBOM_HOME/bin \ | ||
| && curl -L https://github.com/stritzinger/bombom/releases/download/${BOMBOM_VERSION}/bombom.bin -o $BOMBOM_HOME/bin/bombom \ |
There was a problem hiding this comment.
I assume this binary is not portable to amd64 / aarch64, is that correct?
ORT Dockerfiles build to both architectures and you need to download the right binary based on arch.
There was a problem hiding this comment.
@ziopio Is there a way to generate binaries for other architectures ?
There was a problem hiding this comment.
This will be resolved in the next bombom release once this PR is merged.
| # Erlang (Rebar3 SBoM wrapped in Bombom) | ||
| FROM base AS rebar3_sbom_build | ||
|
|
||
| ARG BOMBOM_VERSION |
There was a problem hiding this comment.
You also need to set the correct version in /.env.versions.
|
You can see my change for mix here: e6bb099 |
Install rebar3_sbom binary using the Bombom wrapper Signed-off-by: GwendalLaurent <[email protected]>
GwendalLaurent
force-pushed
the
sosef/rebar3_sbom_docker
branch
from
12b6bb9 to
96ee0a5
Compare
|
Superseeded by #4 |
|
@maennchen Should I close this PR since it's superseeded ? |
|
@GwendalLaurent Yes |
Add
rebar3_sbomfor the generation of SBOM for Erlang project.rebar3_sbomis wrapped in bombom. This allows to runrebar3_sbomwithout installing a full Erlang distribution.