feat(publish-image): Attest SPDX SBOM alongside CycloneDX#114
Merged
Conversation
NickLarsenNZ
self-requested a review
June 29, 2026 10:20
Member
Author
Release noteSPDX SBOMs: In addition to the existing CycloneDX SBOMs, every image now also has an SBOM in the SPDX format attested to it. See the SBOM guide in our documentation for how to verify and extract them. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We currently only generate and attest CycloneDX SBOMs, but some consumers expect SPDX. This PR derives an SPDX SBOM from the existing merged CycloneDX SBOM and attests it to the image as a second predicate, so every image we publish carries both formats.
Rather than generating SPDX independently, the merged CycloneDX SBOM is converted with
syft convert. This keeps both formats describing the same merged, deduplicated inventory (the mergebom output, including the reconstructed JAR dependency graph and therhel->redhatrename).Known issue: File-level entries are dropped by the conversion, package and dependency information is preserved. That is fine as the file-level information is totally optional anyway, SPDX still includes all the necessary information.
One extra step was needed: syft still emits the deprecated SPDX license id
GPL-2.0-with-classpath-exception, which strict SPDX validators reject. We rewrite it to the validGPL-2.0-only WITH Classpath-exception-2.0expression withjq. With that, the converted SPDX validates cleanly (pyspdxtools exits 0, while without it, exit 1 with 33+ errors).