proxy.golang.org : github.com/fkautz/gitbom-go

Package gitbom implements GitBOM. Read the spec at https://hackmd.io/@aeva/draft-gitbom-spec GitBOM is neither git nor an SBOM. It is an application of the git DAG, a widely used merkle tree with a flat-file storage format, to the challenge of creating build artifact trees in today’s language-heterogeneous open source environments. by generating artifact trees at build time, embedding the hash of the tree in produced artifacts, and referencing that hash in the next build step, GitBOM will enable the zero-end-user-effort creation of verifiable build trees. Furthermore, it will enable launch-time comparison of vulnerability data against a complete artifact tree for both open source and proprietary projects (if vuln data is traceable back to source file). Objective It is desirable to enable efficient launch-time comparison of the verifiable and complete build tree of any executable component [1] against a then-current list of undesirable source files [2] which are known to be undesirable, where such a build tree contains unique referents for all sources from which the given executable object was composed. [1]: binary, dynamically-linked library, container image, etc. [2]: because vulnerabilities may be discovered between the time an executable is created and the time when it is run, these processes must be decoupled

Registry - Source - Documentation - JSON
purl: pkg:golang/github.com/fkautz/gitbom-go
License: Apache-2.0,MIT
Latest release: about 3 years ago
First release: about 3 years ago
Namespace: github.com/fkautz
Dependent packages: 1
Dependent repositories: 1
Stars: 6 on GitHub
Forks: 3 on GitHub
See more repository details: repos.ecosyste.ms
Last synced: about 1 month ago

• Readme
• Versions 1
• Dependent Packages 1
• Maintainers 0