Skip to content

Commit e3afe28

Browse files
bclindnerbclindner
committed
docs: made buildprobe less central to documentation, add metadata format
1 parent 242c38d commit e3afe28

File tree

1 file changed

+24
-4
lines changed

1 file changed

+24
-4
lines changed

docs/sboms/oci_image.md

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,29 @@ generated by Hermeto (previously known as Cachi2), with the requirement that
99
at least one SBOM is provided in total. It combines these SBOMs
1010
and takes them as a context of the built image.
1111

12-
The script uses buildprobe (see [capo](https://github.com/konflux-ci/capo) for
13-
details) to determine container content and which base images were used to
14-
build the image.
12+
The script takes a simple YAML file to determine container content and what
13+
other images were used to build the image:
14+
15+
```yaml
16+
# the image being built:
17+
image:
18+
pullspec: example.com/foo:1.2.3
19+
digest: sha256:bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c
20+
21+
# for images used directly to build the OCI image:
22+
base_images:
23+
- pullspec: example.com/bar:4.5.6
24+
digest: sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
25+
26+
# for other images used in the OCI image (i.e. for copying files):
27+
extra_images:
28+
- pullspec: example.com/baz:7.8.9
29+
digest: sha256:7d865e959b2466918c9863afca942d0fb89d7c9ac0c99bafc3749504ded97730
30+
```
31+
32+
33+
You can easily generate this metadata using buildprobe (see
34+
[capo](https://github.com/konflux-ci/capo) for details).
1535
1636
All provided SBOMs must be in the same specification! This script does not
1737
support combining SPDX and CycloneDX SBOMs.
@@ -31,7 +51,7 @@ mobster --verbose generate oci-image \
3151
- `--from-hermeto` -- points to an SBOM file (in a JSON format) created by Hermeto
3252
- `--image-pullspec` -- the pullspec of the image processed in the format `<registry>/<repository>:<tag>`
3353
- `--image-digest` -- the digest of the image processed in the format `sha256:<digest value>`
34-
- `--metadata-path` -- points to Dockerfile/Containerfile metadata processed by `buildprobe`
54+
- `--metadata-path` -- points to a Dockerfile/Containerfile metadata YAML file
3555
- `--contextualize` -- Allows SBOM contextualization (see [Contextual SBOM](#contextual-sbom))
3656
- `--output` -- where to save the SBOM. prints it to STDOUT if this is not specified
3757
- `--skip-validation` -- skips validation of the SBOM

0 commit comments

Comments
 (0)