Skip to content

Include build VCS + env information in SBOMs #674

New issue
New issue
Open
Open
Include build VCS + env information in SBOMs#674
Labels
lifecycle/frozensbomRelated to generation of SBOMs
@imjasonh

Description

@imjasonh
imjasonh
opened on Mar 28, 2022

Binaries built using Go 1.18+ have extra info embedded, e.g., for ko itself:

	build	-compiler=gc
	build	CGO_ENABLED=0
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=amd64
	build	GOOS=darwin
	build	GOAMD64=v1
	build	vcs=git
	build	vcs.revision=895cff9823bdde4341ebd3b1893307a42d12e1f4
	build	vcs.time=2022-03-28T13:55:53Z
	build	vcs.modified=true

We should collect this and put it into SPDX and CycloneDX SBOMs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/frozensbomRelated to generation of SBOMs

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions