Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/imjasonh/sbom-fun


https://github.com/imjasonh/sbom-fun

Last synced: about 1 month ago
JSON representation

Awesome Lists containing this project

README 

        
# SBOM FUN!



This repo produces a multi-platform image when built with `ko`, where each platform-specific image has a different SBOM.



```

$ crane manifest ghcr.io/imjasonh/sbom-fun/github.com/imjasonh/sbom-fun | jq '.manifests[].platform'

{

  "architecture": "amd64",

  "os": "linux"

}

{

  "architecture": "arm",

  "os": "linux"

}

{

  "architecture": "arm64",

  "os": "linux"

}

{

  "architecture": "ppc64le",

  "os": "linux"

}

{

  "architecture": "s390x",

  "os": "linux"

}

```



Select a platform and get that image's digest, then get that image's SBOM:



```

$ crane digest ghcr.io/imjasonh/sbom-fun/github.com/imjasonh/sbom-fun --platform=linux/arm64

sha256:18f3efcc2edee3500445ee2b3a968834d1396cbcdd6300e4bd8b01b980c50b67



$ cosign download sbom ghcr.io/imjasonh/sbom-fun/github.com/imjasonh/sbom-fun@sha256:18f3efcc2edee3500445ee2b3a968834d1396cbcdd6300e4bd8b01b980c50b67 | jq -r '.components[].name'

github.com/BurntSushi/toml

github.com/google/go-github/v45

github.com/google/go-querystring

golang.org/x/crypto

```



Select a different platform, get a different SBOM:



```

$ crane digest ghcr.io/imjasonh/sbom-fun/github.com/imjasonh/sbom-fun --platform=linux/ppc64le

sha256:b4c3ee6f0f5093c27f3710a18209e6922f56b3a9e7efef53271f5b5d50b91745



$ cosign download sbom ghcr.io/imjasonh/sbom-fun/github.com/imjasonh/sbom-fun@sha256:b4c3ee6f0f5093c27f3710a18209e6922f56b3a9e7efef53271f5b5d50b91745 | jq -r '.components[].name'

github.com/BurntSushi/toml

github.com/google/go-cmp

```



There's also a test dependency on https://github.com/stretchr/testify, which shows up in `go.mod` but shouldn't appear in any image's SBOM since it's only a test dependency.