Open
Description
We compute and upload our container image SBOMs ourselves, and upload them as a pipeline artifact. 1ES pipeline templates also generates an SBOM for every pipeline artifact that's published. Thus, 1ES pipeline templates ends up generating a (useless) SBOM for our real SBOMs. The result is that it's difficult to traverse the pipeline artifacts and grab a useful SBOM. We should find a way to stop uploading these meta-SBOMs.
Example:
- The
sbomsfolder is what we upload. - It contains SBOMs for each of the images in its own folder.
- 1ESPT injects the
_manifestfolder which contains the SBOMs for our SBOMs.
Metadata
Metadata
Assignees
Type
Projects
Status