Conceptual SBOM model for an APT-based Linux distribution
This is a draft of an entirely exploratory learning exercise to generate SBOMs from first principles that can accompany an APT-based Linux distribution, which in this context is either a disk or a container image obtained from any source including runtime instances, packaged images, debootstraps, etc. Input and comments welcome: Twitter and also on the CNCF, CycloneDX, CDF, Sigstore and other Slacks.
Here's the current version of the output (SPDX) which features:
- Identifying information for the primary component (at this time, the
purlidentifiers for each binary package in the image