-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BOM file for coretto java rpm #368
Comments
Corretto does not currently provide an SBOM, we can look into what that would entail for all of the build types and platforms supported. In the meantime, all of the license and version info should be in the legal directory of the RPM file. |
Unfortunately, the "legal" catalog is not enough. Unknown versions are in the "jmod" directory Like:
|
Those are all present. xalan:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Our security team requires defining versions for all 3rd party dependencies used by our Docker images. There is an internal tool used for scanning, and it has problems with Coretto 11 RPM distribution.
I want to have the option to download/generate a BOM file during build in GitHub Actions and attach it to the build Docker file
Question:
Where can I find or generate a full BOM (SPDX format) file for the RPM distribution?
Snippet from Dockerfile:
The base image is Red Hat 9
The text was updated successfully, but these errors were encountered: