Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add deprecation notice for any usage of SBOM attachments #3256

Merged
merged 1 commit into from
Sep 25, 2023

Conversation

lcarva
Copy link
Contributor

@lcarva lcarva commented Sep 22, 2023

Summary

This change marks any usage of SBOM attachments as deprecated. Instead, users are recommended to use SBOM attestations due to its increased security.

Resolves #2755

Release Note

  • Add deprecation notice for any usage of SBOM attachments

Documentation

Updated the SBOM_SPEC.md to indicate SBOM attachments are deprecated.

@codecov
Copy link

codecov bot commented Sep 22, 2023

Codecov Report

Merging #3256 (158d21f) into main (df7d157) will increase coverage by 0.49%.
The diff coverage is 5.55%.

@@            Coverage Diff             @@
##             main    #3256      +/-   ##
==========================================
+ Coverage   29.83%   30.32%   +0.49%     
==========================================
  Files         155      155              
  Lines        9845     9853       +8     
==========================================
+ Hits         2937     2988      +51     
+ Misses       6480     6418      -62     
- Partials      428      447      +19     
Files Changed Coverage Δ
cmd/cosign/cli/attach.go 0.00% <0.00%> (ø)
cmd/cosign/cli/download.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/clean.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/sign.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/triangulate.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/verify.go 0.00% <0.00%> (ø)
cmd/cosign/cli/sign.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go 21.26% <33.33%> (-0.13%) ⬇️

... and 4 files with indirect coverage changes

This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves sigstore#2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
@haydentherapper haydentherapper merged commit d12c5c6 into sigstore:main Sep 25, 2023
28 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Sep 25, 2023
@lcarva lcarva deleted the deprecate-sbom-attachment branch September 25, 2023 18:39
lance pushed a commit to securesign/cosign that referenced this pull request Sep 25, 2023
This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves sigstore#2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
@cpanato cpanato modified the milestones: v2.3.0, v2.2.1 Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Deprecate --attachment sbom commands
3 participants