1ES Pipeline Templates generates SBOMs for our SBOMs #1331
Labels
Comments
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
1 similar comment
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
|
[Triage] The 1ES pipeline templates documentation specifies how to disable SBOM generation for specific artifacts: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sbom |
lbussell
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We compute and upload our container image SBOMs ourselves, and upload them as a pipeline artifact. 1ES pipeline templates also generates an SBOM for every pipeline artifact that's published. Thus, 1ES pipeline templates ends up generating a (useless) SBOM for our real SBOMs. The result is that it's difficult to traverse the pipeline artifacts and grab a useful SBOM. We should find a way to stop uploading these meta-SBOMs.
Example:
sbomsfolder is what we upload._manifestfolder which contains the SBOMs for our SBOMs.The text was updated successfully, but these errors were encountered: