[Feature]: Implementations for 100% Security Compliance for CLOmonitor · jaegertracing/jaeger#3943

(9 评论) (0 反应) (0 负责人)Go (18,974 star) (2,326 fork)batch import

enhancementhelp wanted

描述

Requirement

To receive awards for compliance with CNCF best practices, Jaeger needs to implement SBOMs that will clear this check.

Problem

Software Bill of Materials (SBOM) - is a list of all the dependencies that went into your current build and deliverables. It contains more information about your project than an usual lockfile, also compiling individual dependencies license, security and origin information into one neat packet. SBOMS are increasingly becoming a requirement to be provided with deliverables. For example the recent NSA, CISA, ODNI Software Supply Chain Guidance for Developers recommend that producers of open source projects provide a SBOM for every project as a mitigation and assurance of good development practice. SBOMS can also be checked by users adopting software, creating visibility into what constituent dependencies were used to build a given package, creating more transparency and visibility into security issues, mitigations and footprint. This information can be used by them to assess the security, as well as provide feedback and contributions back to your project. Adopting SBOMs is easy. There are two standards out today, CycloneDX and SPDX. CLOMonitor by CNCF can automatically check your project for the presence of these files and give you guidance on how to get started creating one.

Proposal

Adopting SBOMs is easy. There are two standards out today, CycloneDX and SPDX. CLOMonitor by CNCF can automatically check your project for the presence of these files and give you guidance on how to get started creating one. To enable CLOMonitor with Sonatype Lift:

Enable Sonatype Lift to run on your project’s repository. See Getting Started.
Create a .lift.toml file in your projects root directory with the following to enable on demand CLOMonitor scans: customTools=["/extra-tools/clomonitor.sh"]
If you would like to disable all additional scanning tools in Lift also add the following line: tools=[]
To run a scan and check your progress on completing the CLOMonitor checks, select your repository on the Lift dashboard, select the appropriate branch from the drop down and hit “Analyze”.

Open questions

Two additional security compliance measures not detailed here but needed for 100% completion are:

Token permissions
Updating the docs for signing releases

贡献者指南

技术栈: go
领域: securitydevops
议题类型: feature
难度: 3
预计时间: 1-3 hours
活动状态: stale
清晰度: mostly clear
前置要求: Basic knowledge of Go build processFamiliarity with CI/CD pipelines
新手友好度: 60
研究方向: The issue requests adding SBOM generation using CycloneDX or SPDX. To implement, investigate tools like cyclonedx gomod for Go projects to generate SBOMs during build. Configure CI to run the tool and output the SBOM file. Additionally, address the open questions about token permissions and updating release signing documentation. Review the current build pipeline in the repository's 'scripts' or '.github' directory for integration points.