TAP 1.6 – Metadata Store Improvements

The Metadata Store has been a key element in a secure supply chain within TAP since the GA of TAP, and it provides a central location where all CVE data and SBOMs are stored for our source code and images. In TAP 1.6, we get a great new set of functionality in the metadata store, allowing for us to now have vulnerability reports stored per build and not just a single report per workload image. This new feature can be extremely beneficial, as it allows us to perform queries and figure out in which version a specific vulnerability was first introduced, as well as a really great ability to understand which CVEs TBS for example with new dependencies was able to solve for us without the need to change anything in our source code! The aggregated report is not gone, we simply now also have per build reports, giving us the best of all worlds! While this may seem like a small feature, it actually truly is huge, and is a huge milestone down the path to being able to perform full end to end tracability and attestation for our supply chains, as well as providing a clear and simple API to be able to gain truly important insights on the development flows within our organization. This new functionality, combined with the new data being included in the Metadata Store DB via AMR, can open up endless opportunities for data driven decision making and reporting for TAP, which simply has not been possible till today. Summary While this new functionality is API/CLI accessible only today, I truly hope to see this integrated into a UI flow in a future release, where we could do diffs between reports of an image and gain clear visibility of the changes between specific image builds in a clear and concise manner!