-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1ES Pipeline Templates generates SBOMs for our SBOMs #1331
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
1 similar comment
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
[Triage] The 1ES pipeline templates documentation specifies how to disable SBOM generation for specific artifacts: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sbom |
I ran some tests with disabling SBOM on pipeline artifacts since we never emit shipping code as pipeline artifacts. This causes us to run into issues with generating SBOM manifests for our container images, due to #1283. That will need to be reverted for this change to work. Pipeline test runs: docker-tools, dotnet-docker |
[Triage] We should first focus on disabling SBOM generation for other SBOMs, rather than disabling SBOM generation for all pipeline artifacts. We can revisit the necessity of other SBOMs at a later date. |
We compute and upload our container image SBOMs ourselves, and upload them as a pipeline artifact. 1ES pipeline templates also generates an SBOM for every pipeline artifact that's published. Thus, 1ES pipeline templates ends up generating a (useless) SBOM for our real SBOMs. The result is that it's difficult to traverse the pipeline artifacts and grab a useful SBOM. We should find a way to stop uploading these meta-SBOMs.
Example:
sboms
folder is what we upload._manifest
folder which contains the SBOMs for our SBOMs.The text was updated successfully, but these errors were encountered: