We Built the Kubernetes SBOM and Now You Can Write Your Own! - Adolfo García Veytia, uServers
Abstract
At the end of 2020, SIG Release set a goal to produce a Software Bill of Materials for Kubernetes to provide the community and downstream consumers with a verifiable manifest to attest the completeness and consistency of the artifacts built and published with each release. Adolfo will tell how the Release Engineering team built the Kubernetes SBOM and how this effort resulted in a set of libraries and tools which can be leveraged by software developers and other projects to create their own SPDX-compliant Bill of Materials out of files and container images with automatic license detection. He will address the role an SBOM plays in the software supply chain puzzle, enumerating its benefits for developers and operators. He will do a review of the SPDX standard (Software Package Data Exchange) and the rich relationships between software components it can express. The session will feature a live demo of building an SPDX SBOM using said tools which are already available to download.