Commit cf81a211 authored by Clement Bois's avatar Clement Bois
Browse files

fix(sbom): disable file catalogers for Syft SBOM (to minimize SBOM file)

parent 5c6c0f62

README.md

+1 −1
Original line number Diff line number Diff line
@@ -148,7 +148,7 @@ It is bound to the `test` stage, and uses the following variables: 
| `sbom-disabled` / `SBT_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |

| `TBC_SBOM_MODE`                       | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `SBT_SBOM_DISABLED` takes precedence | `onrelease` |

| `sbom-image` / `SBT_SBOM_IMAGE` | The syft image used for SBOM analysis | `registry.hub.docker.com/anchore/syft:debug` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-SBT_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-SBT_SBOM_IMAGE) |

| `sbom-opts` / `SBT_SBOM_OPTS` | Options for syft used for SBOM analysis | `dir:sbt-cache/coursier --catalogers java-cataloger` |

| `sbom-opts` / `SBT_SBOM_OPTS` | Options for syft used for SBOM analysis | `dir:sbt-cache/coursier --catalogers java-cataloger --select-catalogers -file` |



In addition to logs in the console, this job produces the following reports, kept for one week:

kicker.json

+1 −1
Original line number Diff line number Diff line
@@ -59,7 +59,7 @@ 
        {

          "name": "SBT_SBOM_OPTS",

          "description": "Options for syft used for SBOM analysis",

          "default": "dir:sbt-cache/coursier --catalogers java-cataloger",

          "default": "dir:sbt-cache/coursier --catalogers java-cataloger --select-catalogers -file",

          "advanced": true

        }

      ]

templates/gitlab-ci-sbt.yml

+1 −1
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ spec: 
      default: registry.hub.docker.com/anchore/syft:debug

    sbom-opts:

      description: Options for syft used for SBOM analysis

      default: dir:sbt-cache/coursier --catalogers java-cataloger

      default: dir:sbt-cache/coursier --catalogers java-cataloger --select-catalogers -file

    publish-mode:

      description: Publish mode (one of _none_, `snapshot`, `ontag`, `release`)

      options: