ci: build: archive SBOM and VEX information for every build#343
Merged
jluebbe merged 3 commits intolinux-automation:whinlatterfrom Mar 6, 2026
Merged
ci: build: archive SBOM and VEX information for every build#343jluebbe merged 3 commits intolinux-automation:whinlatterfrom
jluebbe merged 3 commits intolinux-automation:whinlatterfrom
Conversation
The vulnerability exploitability data can be used to analyze found CVEs after the fact using sbom-cve-check. Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
This tracks the files which are compiled in so we can ignore CVEs that only affect files we do not build. Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
These files allow use to check for vulnerabilities after the fact. Since these files are not as large as our disk images and bundles, upload them using the normal GitHub artifact upload instead of the forrest runner. This makes it a bit easier to retrieve them again in other actions. Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
jluebbe
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a subset of #338 that only generates and uploads the SBOM data, but does not do anything with it yet.
Getting this merged before #338 should allow us to experiment more.