sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

early feedback.

Browse Source
This commit is contained in:
Julian Schauder
2025-12-03 11:55:28 +01:00
parent 6cf0288de8
commit 14f4a39ad2
1 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/baseline-requirements.md
View File

@@ -32,9 +32,7 @@ SPDX-License-Identifier: Apache-2.0
# Preamble / Scope
This document lays out the requirements for open-source products that should become part of openDesk (called "component" in the following).
As this is a comprehensive set of requirements, most new components will not adhere to all of them.
This document lays out the requirements for all components of the openDesk (called "component" in the following).
This document can be used to assess the status and possible gaps for a component, which might itself be the basis for a decision if the component should be integrated into openDesk by working on closing the identified gaps.
@@ -47,16 +45,17 @@ This document can be used to assess the status and possible gaps for a component
> NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
> "OPTIONAL" in this document are to be interpreted as described in
> [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
> - MUST(NOT): These requirements are hard requirements and must be fulfilled. If technically possible they can be considered hard-blocking qualitygates that could prevent a new components artifact/container from being deployed.
> - SHOULD(NOT): These requirements don't need to be fulfilled but might be the future. Any given MUST-Requirement was a SHOULD-Requirement for at minimum 90 days and can only be bumped as an openDesk RFC.
# Software bill of materials (SBOMs)
openDesk pürovides in-depth SBOM for container images. Those SBOMs are Scoped on a per-container basis. SBOMs SHOULD contain all software components present in the final image, even when obfuscated through static linking. False-Positive-Components are expected.
[ToDo: align this with ironDesk requirements]
Components MUST provide artifact and source code SBOMs in a standardized manner, ideally in the current [CycloneDX](https://cyclonedx.org/tool-center/) format ( 1.7 at time of writing ). This is explicitly supported by openCode's [DevGuard](https://devguard.opencode.de/) toolchain.
openDesk is looking into options for in-depth SBOM creation first for container images and later for source code. Components MUST provide artifact and source code SBOMs in a standardized manner, ideally in the openCode preferred [SPDX 2.2.1](https://spdx.org/rdf/ontology/spdx-2-2-1/) format.
**Reference:** https://gitlab.opencode.de/bmi/opendesk/deployment/SBOM/-/tree/main/sboms/0.5.74
## Artifact SBOMs