Skip to main content
Version: 1.12.x

Manifest

A Hoppr specific YAML file that specifies product dependencies required for product deployments. Could be provided by product teams for use by end customers.

Hoppr currently supports the following Package URLs (PURLs) to find components. From version 1.10.0 onward the following package types are supported:

PURL TypeDescription
cargocargo packages
debDebian-based packages (only apt-based packages currently supported)
dockercontainer images
gemRubyGems packages
genericstand-alone files (e.g. binary) not handled by a package manager
gitgit repositories and helm charts
golanggolang packages
helmhelm charts
mavenmaven packages
npmnpm packages
nugetnuget packages
pypipython packages
rawalias for generic
rpmredhat RPMs (yum/dnf)

Example manifest.yml

---
schemaVersion: v1
kind: Manifest

metadata:
name: Example Manifest File
version: "1.0.0"
description: This is an example manifest.yml file

sboms:
- url: https://example.com/example-bom.json
- local: ../example-bom.json

includes:
- url: https://example.com/example.yml
- local: ../example.yml

repositories:
docker:
- url: registry.docker.io # Protocol is not required for registries
description: Description for the repository URL
- url: https://example.com/
pypi:
- url: https://example.com/
description: Description for the repository URL
- url: https://example2.com/

Manifest Fields

The following provides a top level explanation of the fields available in the Manifest file.

metadata

Provides information about the manifest file itself. All fields are optional.

NameDescription
nameManifest file name
versionManifest file version
descriptionManifest file description

sboms

Locations of CycloneDX Software Bill of Materials files to be processed by Hoppr.

Each item in the list requires exactly one of the following fields:

NameDescription
localPath to SBOM file relative to manifest
ocioci:// URL of remotely hosted SBOM file
urlhttp:// or https:// URL of remotely hosted SBOM file

includes

Additional manifest files that should be merged with this manifest to create the final file that Hoppr will utilize

Each item in the list requires exactly one of the following fields:

NameDescription
localPath to manifest file relative to this manifest
urlhttp:// or https:// URL of remotely hosted manifest file

repositories

Locations for Hoppr to use when pulling artifacts based on the PURL type in the SBOM

  • While most PURL types define sane defaults for repositories if not specified by the user, it is recommended to explicitly define artifact source repositories
  • Multiple repository URLs can be specified for each PURL type, and attempts to collect components from these repositories will occur in the order in which they are defined