generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Go binaries in bom generate #347
Labels
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
kind/feature
Categorizes issue or PR as related to a new feature.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
Comments
micahhausler
added
kind/feature
Categorizes issue or PR as related to a new feature.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
labels
Sep 19, 2023
cpanato
added
the
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
label
Sep 21, 2023
As discussed at the contributor's summit, we will modernize the k8s sboms, so I think I'll build this. |
I was also experimenting with
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
kind/feature
Categorizes issue or PR as related to a new feature.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
Today, when generating an SBOM for a container image, you get something like the following.
Note that only the OS package database is analyzed, even though there are Go binaries
go-runner
and/usr/local/bin/kube-apiserver
with their own dependencies.When running
go version -m
, go will analyze module information baked into the binary. This functionality is facilitated bydebug/buildinfo.ReadFile()
in the standard library which returns a*runtime/debug.BuildInfo{}
.What would you like to be added:
While it would not be as complete as the current
go.mod
analyzer, it'd be nice to be able to analyze local files or files within an image specified likebom generate -i $IMAGE --scan-images -f /go-runner -f /usr/local/bin/kube-apiserver
to check if they're go binaries and get the module information.Why is this needed:
If I'm a user scanning an image with a Go binary that has module information, I'd like to know the module version information in my SBOM
The text was updated successfully, but these errors were encountered: