Skip to content

Emit package_metadata#308

Draft
arjantop-cai wants to merge 1 commit into
chainguard-dev:mainfrom
cookieai-jar:package-metadata
Draft

Emit package_metadata#308
arjantop-cai wants to merge 1 commit into
chainguard-dev:mainfrom
cookieai-jar:package-metadata

Conversation

@arjantop-cai
Copy link
Copy Markdown

@arjantop-cai arjantop-cai commented May 4, 2026

Emit package_metadata from https://github.com/bazel-contrib/supply-chain for apko packages.

This allows bazel SBOM tooling to include apko packages in the produced SBOM using tooling in supply-chain.

While chainguard packages already have SBOM and apko produces SBOM for the built image that cannot currently be wired in the supply-chain tooling. This is an attempt to get at least some metadata that can be included in final image SBOM (base image + eg. Go dependencies from service).

Resolves #306

@arjantop-cai arjantop-cai changed the title Emit package_metadata. Emit package_metadata May 4, 2026
xnox
xnox reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i am not sure i like this. apko is capable of producing very rich sboms in spdx format with a lot of purl references. With more data than just synthesized pkg:apk.

Have you seen the spdx sboms that apko can produce natively? Can that be attached verbantim, or as an extracted flat list of external refs & purls?

@xnox
Copy link
Copy Markdown
Member

xnox commented May 6, 2026

Opened:

I hope to have some better way to reuse the rich SBOM we provide.

@xnox xnox marked this pull request as draft May 6, 2026 12:09
@arjantop-cai
Copy link
Copy Markdown
Author

arjantop-cai commented May 6, 2026

As I mentioned above that is not possible right now.
Unlikely the aspect can even access apko built SBOM as that is a built action.
Extracting from APK might be possible but there is currently no such support in baze; supply chain tooling.

@xnox
Copy link
Copy Markdown
Member

xnox commented May 6, 2026

@alexeagle is there a way to integrate apko generated sboms, higher up with bazel supply-chain etc? Because apko produces very rich SBOM and it is best for it to remain published and accessible and bubble up. Alternatively, I wonder if we should develop a better pattern to publish sbom along side the containers as an attestation.

@darkrift
Copy link
Copy Markdown

darkrift commented May 8, 2026

@xnox supply-chain is still in it's infancy, but what I can see is that rules_apko is not stitching dependencies together which could help with SBOM relationship.

Also, there is a notion of "attributes" on package_metadata that is being worked on that could help keep lots of information associated to that package in addition to what is in the PURL.

@xnox
Copy link
Copy Markdown
Member

xnox commented May 9, 2026

the sbom and packages have accurate purls, please reuse them without reconstruction. Also ideally existing sbom should be propagated. If need be we can make it at lock creation; rather than at bazel build time. That way prebuilt sbom could be parsed and reused.

xnox
xnox requested changes May 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current approach is ok, if it works for you. And do use it and iterate on it by using patch against fetching rules_apko. However, this doesn't quite fit the apko/melange already rich SBOM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xnox xnox xnox requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add package_metadata

3 participants

@arjantop-cai @xnox @darkrift