The requirements for the Partner Premier Tag mention inclusion of an SBOM, but don’t have any guidance about how the SBOM should be presented and signed in Github Releases.
I assume that each provider binary (os/architecture combination) is going to need its own SBOM because of slight differences in build requirements (golang.org/x/sys/unix vs. golang.org/x/sys/windows). So, we’re talking about several SBOMs per release version.
Options which have occurred to me include:
Include each SBOM in the per-os-per-arch zip file
This would be convenient to publish…
But not so convenient for consumption by the SBOM archive my employer operates
Make each SBOM an independent release artifact and sign each directly
Make each SBOM an independent release artifact include in SHASUMs
Introduce an SBOMs.zip which either
contains one or more signatures
is signed
is included in SHASUMs
So… What will Hashicorp be looking for here?
I’m currently leaning toward adding a bunch of top-level artifacts named like terraform-provider-foo_1.2.3_os_arch_SBOM.json and including them in the SHASUMs file.
Hello there! I am on the HashiCorp partner team and want to say thanks up front for this thoughtful outreach, and thanks for bringing it to our attention.
The end goal of that new requirement is really around transparency for customers that require an SBOM in their software packages due to security requirements. As such, we’re more than willing to work with partners around what is the path to least resistance around fulfillment of this requirement while providing this transparency to customers.
So, your suggestion of including top-level artifacts and including them in the SHASUMs file is perfectly fine. (So is your other top suggestion, if your employer is fine with SBOM archive.)
When ready, please feel free to fill out this form and we’d be happy to work with you further on this.
We’ve already got the partner tag on our providers, and I get invited to partner briefings and whatnot, so I think we’re mostly in good shape on that front.
We’re not running tests from GitHub Actions right now, but that’s something I’ve been wanting to change, so I’m happy to use Hashicorp as an excuse got get that sorted out.
The SBOM requirement is in the same category (I’ve been looking for an excuse), but when I read the requirement, I assumed it would be validated somehow (maybe in the registry?)
Now it sounds like it’s closer to a spot-check by a Hashicorp Partner Alliance Manager, so I’ll just stick 'em in there somehow.
And don’t worry, I’ll be banging on your door for that premier tag once I’m ready
