Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract the SBOM from Component and publish to the registry #54

Open
yoshuawuyts opened this issue Mar 12, 2025 · 0 comments
Open

Extract the SBOM from Component and publish to the registry #54

yoshuawuyts opened this issue Mar 12, 2025 · 0 comments
Assignees
@yoshuawuyts @duffney
Labels
enhancement New feature or request

Comments

@yoshuawuyts
Copy link
Member

yoshuawuyts commented Mar 12, 2025
edited
Loading

Once #53 lands and we've confirmed it works, the next step will be to extract the SBOM and publish it to the registry. I've filed bytecodealliance/wasm-pkg-tools#154 to enable wkg to do this automatically, but we should get ahead of that and do start by doing it manually first.

To get the SBOM from the binary we have to install auditable2cdx, but currently that's blocked on rust-secure-code/cargo-auditable#188. That should be easy enough for maintainers to resolve though, so we should be ok waiting on that. Once that lands I expect us to implement the following flow:

  1. Extract the SBOM as CycloneDX-formatted JSON from the .wasm binary
  2. Push and sign the SBOM on the registry using cosign (guide)

To my knowledge there is nothing else we need to do here, but let me know if I've missed anything here. Thanks!

References

cc/ @Shnatsel, @thomastaylor312, and @phickey for awareness
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yoshuawuyts yoshuawuyts

@duffney duffney

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yoshuawuyts @duffney