docs: add SBOM for container-runtimes

Partial for #10940 Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
2025-08-05 22:07:14 +02:00 · 2025-07-23 13:10:58 +02:00 · 2025-07-23 13:10:58 +02:00 · c66e678b2b
commit c66e678b2b
parent c479d91284
8 changed files with 47 additions and 1 deletions
--- a/container-runtime/crun/pkg.yaml
+++ b/container-runtime/crun/pkg.yaml
@ -34,7 +34,14 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
-
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/crun.spdx.json
+      version: {{ .CRUN_VERSION }}
+      cpes:
+        - cpe:2.3:a:crun_project:crun:{{ .CRUN_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - GPL-2.0
+        - LGPL-2.1
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/ecr-credential-provider/pkg.yaml
+++ b/container-runtime/ecr-credential-provider/pkg.yaml
@ -45,6 +45,11 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/ecr-credential-provider.spdx.json
+      version: {{ .CLOUD_PROVIDER_AWS_VERSION }}
+      licenses:
+        - Apache-2.0
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/gvisor/pkg.yaml
+++ b/container-runtime/gvisor/pkg.yaml
@ -57,6 +57,13 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/gvisor.spdx.json
+      version: {{ .GVISOR_VERSION }}
+      cpes:
+        - cpe:2.3:a:google:gvisor:{{ .GVISOR_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - Apache-2.0
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/kata-containers/pkg.yaml
+++ b/container-runtime/kata-containers/pkg.yaml
@ -69,6 +69,13 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/kata-containers.spdx.json
+      version: {{ .KATA_CONTAINERS_VERSION }}
+      cpes:
+        - cpe:2.3:a:katacontainers:kata_containers:{{ .KATA_CONTAINERS_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - Apache-2.0
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/spin/pkg.yaml
+++ b/container-runtime/spin/pkg.yaml
@ -33,6 +33,11 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/spin.spdx.json
+      version: {{ .SPIN_VERSION }}
+      licenses:
+        - Apache-2.0
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/stargz-snapshotter/pkg.yaml
+++ b/container-runtime/stargz-snapshotter/pkg.yaml
@ -60,6 +60,11 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/stargz-snapshotter.spdx.json
+      version: {{ .STARGZ_SNAPSHOTTER_VERSION }}
+      licenses:
+        - Apache-2.0
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/wasmedge/pkg.yaml
+++ b/container-runtime/wasmedge/pkg.yaml
@ -33,6 +33,11 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/wasmedge.spdx.json
+      version: {{ .WASMEDGE_VERSION }}
+      licenses:
+        - Apache-2.0
 finalize:
  - from: /rootfs
    to: /rootfs
--- a/container-runtime/youki/pkg.yaml
+++ b/container-runtime/youki/pkg.yaml
@ -34,6 +34,11 @@ steps:
        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/youki.spdx.json
+      version: {{ .YOUKI_VERSION }}
+      licenses:
+        - Apache-2.0

 finalize:
  - from: /rootfs