[SBOM] Capture all tools with their version / digest that are downloaded during a build #3535
Assignees
Labels
enhancement
Issues that enhance the code or documentation of the repo in any way
Comments
netomi
added
the
enhancement
|
Noting that CycloneDX is pulled from the build.getDependency job: temurin-build/cyclonedx-lib/build.xml Line 47 in 08ef952 While the checksums are stored in the ant build file, we can generate those for the artifacts on the file system at SBoM creation time and incorporate those. |
|
PR for the CycloneDX now merged, build.getDependencies re-run to pick up the new version, so #3538 can proceed |
|
CycloneDX SHAs are in the SBoM so this is complete as far as I'm aware. Closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The sbom should capture all external tools with their version / digests that are downloaded during the build. This mainly concerns the cyclonedx tools / dependencies.
Ideally, in the long run, there should not be a need to download these tools externally for each build, but they could be hosted in a tool repository that is checked out using a defined commit during the build to avoid relying on external services as much as possible.
The text was updated successfully, but these errors were encountered: