Skip to content

Add plugin for SBOM generation#87

Merged
starksm64 merged 4 commits intomasterfrom
ivargrimstad-add-sbom-gen
Oct 25, 2023
Merged

Add plugin for SBOM generation#87
starksm64 merged 4 commits intomasterfrom
ivargrimstad-add-sbom-gen

Conversation

@ivargrimstad
Copy link
Copy Markdown
Member

@ivargrimstad ivargrimstad commented Oct 19, 2023

Also update plugin versions in pluginManagement secion

@ivargrimstad
Add plugin for SBOM generation
8118b9b 
Also update plugin versions in pluginManagement secion
pzygielo
pzygielo reviewed Oct 19, 2023
View reviewed changes
parent/pom.xml Outdated
</pluginManagement>

<plugins>
<plugin>
Copy link
Copy Markdown
Contributor

@pzygielo pzygielo Oct 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about the change. The plugin will run in every module using this as parent, and for example in OpenMQ I see this:

[INFO] --- cyclonedx-maven-plugin:2.7.9:makeAggregateBom (default) @ mq ---
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM version 1.4 with 1 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): .../mq/main/target/bom.xml
[INFO]            attaching as mq-6.5.0-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): .../mq/main/target/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as mq-6.5.0-SNAPSHOT-cyclonedx.json

Copy link
Copy Markdown
Member Author

@ivargrimstad ivargrimstad Oct 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it will spit out some warnings if there is metadata that is needed for the SBOM generation that is missing, or wrongly configured.

Thanks for testing it out btw. I plan to run it on a couple of specs and implementations as well during next week to see that it doesn't break anything

Copy link
Copy Markdown
Contributor

@pzygielo pzygielo Oct 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this some EF requirement? I don't understand why every child project is going to need this.

Copy link
Copy Markdown
Member Author

@ivargrimstad ivargrimstad Oct 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not at the moment, but there will eventually be a requirement to produce SBOMs coming up in the near future. This work is to be upfront with that. That said, if it generates a lot of problems for the projects, we can add it in a profile that can be disabled for those projects experiencing problems until it is fixed.

Copy link
Copy Markdown

@edburns edburns Oct 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The absence of SBOM for all components will very likely be seen by IT decision makers as a big drawback. Our mission for EE is to create a product that appeals to IT decision makers.

edburns
edburns suggested changes Oct 24, 2023
View reviewed changes
Copy link
Copy Markdown

@edburns edburns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't you also need to increment the version of the POM itself, in line 27?

@starksm64
Copy link
Copy Markdown
Member

starksm64 commented Oct 25, 2023

Wouldn't you also need to increment the version of the POM itself, in line 27?

That is automatically managed by the release plugin. It is only updated when there is an actual release, not on every commit.

@starksm64 starksm64 merged commit 65bf125 into master Oct 25, 2023
@starksm64
Copy link
Copy Markdown
Member

starksm64 commented Oct 25, 2023

I tried this on the cdi project and saw no ill effects

@ivargrimstad
Copy link
Copy Markdown
Member Author

ivargrimstad commented Oct 25, 2023

I tried this on the cdi project and saw no ill effects

Thanks, Scott!

@ivargrimstad ivargrimstad mentioned this pull request Oct 25, 2023
Closed
@ivargrimstad ivargrimstad deleted the ivargrimstad-add-sbom-gen branch October 26, 2023 12:03
@dmatej dmatej mentioned this pull request Oct 31, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@starksm64 starksm64 starksm64 approved these changes

+2 more reviewers

@pzygielo pzygielo pzygielo left review comments

@edburns edburns edburns requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ivargrimstad @starksm64 @edburns @pzygielo