Skip to content

feat(ISV-5866): Use Mobster to generate oci image SBOMs #2532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(ISV-5866): Use Mobster to generate oci image SBOMs #2532

wants to merge 1 commit into from
+186 −218

Conversation

Allda
Copy link
Contributor

@Allda Allda commented Jul 14, 2025
edited by openshift-ci bot
Loading

A Mobster is a unified tool for generating SBOMs in Konflux. The oci image is another content type that is being ported to use Mobster.

A Mobster handles a logic of previously defined scripts and unifies the output across all SBOMs produced by the SBOM.

The oci-image generator executes following steps internally:

  • merge syft and hermeto outputs
  • add reference to the image and updates relationship
  • add base images used to build an image
  • add additional base images
  • validate a format of the spdx or cyclonedx schema

JIRA: ISV-5866

Before you complete this pull request ...

Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.

@Allda Allda requested a review from a team as a code owner July 14, 2025 14:00
@Allda Allda force-pushed the ISV-5866 branch 3 times, most recently from d308148 to 48ff887 Compare July 14, 2025 14:56
@Allda
Copy link
Contributor Author

Allda commented Jul 15, 2025

/retest

1 similar comment
@Allda
Copy link
Contributor Author

Allda commented Jul 15, 2025

/retest

@Allda Allda requested review from sfowl and a team as code owners July 15, 2025 10:20
@Allda
Copy link
Contributor Author

Allda commented Jul 15, 2025

/retest

1 similar comment
@sfowl
Copy link
Contributor

sfowl commented Jul 16, 2025

/retest

chmeliik
chmeliik reviewed Jul 16, 2025
View reviewed changes
@Allda
feat(ISV-5866): Use Mobster to generate oci image SBOMs
f772df1 
A Mobster is a unified tool for generating SBOMs in Konflux. The oci
image is another content type that is being ported to use Mobster.

A Mobster handles a logic of previously defined scripts and unifies the
output across all SBOMs produced by the SBOM.

The oci-image generator executes following steps internally:
- merge syft and hermeto outputs
- add reference to the image and updates relationship
- add base images used to build an image
- add additional base images
- validate a format of the spdx or cyclonedx schema

JIRA: ISV-5866

Signed-off-by: Ales Raszka <[email protected]>
@Allda Allda mentioned this pull request Jul 16, 2025
Open
chmeliik
chmeliik approved these changes Jul 16, 2025
View reviewed changes
Copy link
Contributor

@chmeliik chmeliik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Normally, I would like the Conforma change to be merged and deployed first, but it seems that the fix was only needed for CycloneDX which shouldn't be widely used anymore within Red Hat. So we don't need to wait

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chmeliik chmeliik chmeliik approved these changes

@sfowl sfowl Awaiting requested review from sfowl sfowl is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Allda @sfowl @chmeliik