Skip to content

feat(publish-image): Attest SPDX SBOM alongside CycloneDX#114

Merged
dervoeti merged 1 commit into
mainfrom
feat/publish-image-spdx-sbom
Jun 29, 2026
Merged

feat(publish-image): Attest SPDX SBOM alongside CycloneDX#114
dervoeti merged 1 commit into
mainfrom
feat/publish-image-spdx-sbom

Conversation

@dervoeti

Copy link
Copy Markdown
Member

We currently only generate and attest CycloneDX SBOMs, but some consumers expect SPDX. This PR derives an SPDX SBOM from the existing merged CycloneDX SBOM and attests it to the image as a second predicate, so every image we publish carries both formats.

Rather than generating SPDX independently, the merged CycloneDX SBOM is converted with syft convert. This keeps both formats describing the same merged, deduplicated inventory (the mergebom output, including the reconstructed JAR dependency graph and the rhel -> redhat rename).
Known issue: File-level entries are dropped by the conversion, package and dependency information is preserved. That is fine as the file-level information is totally optional anyway, SPDX still includes all the necessary information.

One extra step was needed: syft still emits the deprecated SPDX license id GPL-2.0-with-classpath-exception, which strict SPDX validators reject. We rewrite it to the valid GPL-2.0-only WITH Classpath-exception-2.0 expression with jq. With that, the converted SPDX validates cleanly (pyspdxtools exits 0, while without it, exit 1 with 33+ errors).

@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering Jun 29, 2026
@dervoeti dervoeti self-assigned this Jun 29, 2026
@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Jun 29, 2026
@NickLarsenNZ
NickLarsenNZ self-requested a review June 29, 2026 10:20

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dervoeti
dervoeti merged commit 167b6d4 into main Jun 29, 2026
13 checks passed
@dervoeti
dervoeti deleted the feat/publish-image-spdx-sbom branch June 29, 2026 10:57
@dervoeti dervoeti moved this from Development: In Review to Development: Done in Stackable Engineering Jun 29, 2026
@lfrancke lfrancke moved this from Development: Done to Acceptance: In Progress in Stackable Engineering Jul 6, 2026
@dervoeti

dervoeti commented Jul 6, 2026

Copy link
Copy Markdown
Member Author

Release note

SPDX SBOMs: In addition to the existing CycloneDX SBOMs, every image now also has an SBOM in the SPDX format attested to it. See the SBOM guide in our documentation for how to verify and extract them.

@lfrancke lfrancke moved this from Acceptance: In Progress to Done in Stackable Engineering Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

3 participants