This guide is most relevant to buildpack authors.
See the spec release for buildpack API 0.7 for the full list of changes and further details.
Buildpacks may write Software Bill of Materials (SBOM) files describing build- or run-time dependencies. These files must use the
application/vnd.syft+json media types (a buildpack may output SBOM files in multiple formats). Files may be written to the following locations:
<layers>/<layer>.sbom.<ext>- for describing dependencies associated with a layer
golibraries in a
<layers>/launch.sbom.<ext>- for describing run-time dependencies not associated with a layer
<layers>/build.sbom.<ext>- for describing build-time dependencies not associated with a layer
<ext> extensions are as follows:
|SBOM Media Type||File Extension|
SBOM files for launch will be included in the application image if the platform api supports it; SBOM files for build may be saved off by the platform prior to the build container exiting.
Layer-associated SBOM files will be cached and restored to the buildpack layers directory on re-builds of the same image (much like the
<layers>/<layer>.toml metadata file).
<layers>/build.sbom.<ext> must be re-created on each build.
[bom] tables in launch.toml and build.toml are deprecated, but remain supported to enable backwards compatibility with platforms implementing Platform API < 0.8.
sbom-formatsarray indicating the SBOM formats output by the buildpack.