Extract the SBOM from Component and publish to the registry

Once #53 lands and we've confirmed it works, the next step will be to extract the SBOM and publish it to the registry. I've filed https://github.com/bytecodealliance/wasm-pkg-tools/issues/154 to enable `wkg` to do this automatically, but we should get ahead of that and do start by doing it manually first.

To get the SBOM from the binary we have to install `auditable2cdx`, but currently that's blocked on https://github.com/rust-secure-code/cargo-auditable/issues/188. That should be easy enough for maintainers to resolve though, so we should be ok waiting on that. Once that lands I expect us to implement the following flow:

1. Extract the SBOM as CycloneDX-formatted JSON from the `.wasm` binary
3. Push and sign the SBOM on the registry using `cosign` ([guide](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/))

To my knowledge there is nothing else we need to do here, but let me know if I've missed anything here. Thanks!

## References

- https://github.com/rust-secure-code/cargo-auditable/issues/188
- https://github.com/bytecodealliance/wasm-pkg-tools/issues/154
- [Chainguard - How to sign an SBOM with cosign](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/)

##

cc/ @shnatsel, @thomastaylor312, and @phickey for awareness


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Extract the SBOM from Component and publish to the registry #54

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Extract the SBOM from Component and publish to the registry #54

Description

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions