Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AVRO-3700: Publish Java SBOM artifacts with CycloneDX #2046

Merged
merged 1 commit into from Jan 6, 2023
Merged

AVRO-3700: Publish Java SBOM artifacts with CycloneDX #2046

merged 1 commit into from Jan 6, 2023

Conversation

dongjoon-hyun
Copy link
Member

@dongjoon-hyun dongjoon-hyun commented Jan 5, 2023
edited

What is the purpose of the change

This PR aims to publish SBOM artifacts.

Here is an article to give some context.

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).

This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Verifying this change

Manually verify with the following procedure. avro-1.12.0-SNAPSHOT.jar will have avro-1.12.0-SNAPSHOT-cyclonedx.xml and avro-1.12.0-SNAPSHOT-cyclonedx.json BOM files.

$ mvn install -DskipTests
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  02:04 min
[INFO] Finished at: 2023-01-05T10:15:49-08:00
[INFO] ------------------------------------------------------------------------

$ ls -al ~/.m2/repository/org/apache/avro/avro/1.12.0-SNAPSHOT/
total 2184
drwxr-xr-x  9 dongjoon  staff     288 Jan  5 10:14 .
drwxr-xr-x  5 dongjoon  staff     160 Jan  5 10:14 ..
-rw-r--r--  1 dongjoon  staff     302 Jan  5 10:14 _remote.repositories
-rw-r--r--  1 dongjoon  staff   17421 Jan  5 10:14 avro-1.12.0-SNAPSHOT-cyclonedx.json
-rw-r--r--  1 dongjoon  staff   15178 Jan  5 10:14 avro-1.12.0-SNAPSHOT-cyclonedx.xml
-rw-r--r--  1 dongjoon  staff  443402 Jan  5 10:14 avro-1.12.0-SNAPSHOT-tests.jar
-rw-r--r--  1 dongjoon  staff  612699 Jan  5 10:14 avro-1.12.0-SNAPSHOT.jar
-rw-r--r--  1 dongjoon  staff    9510 Jan  5 10:03 avro-1.12.0-SNAPSHOT.pom
-rw-r--r--  1 dongjoon  staff    1329 Jan  5 10:14 maven-metadata-local.xml

Documentation

This is a build-only change.

@github-actions github-actions bot added the build label Jan 5, 2023
@dongjoon-hyun
Copy link
Member Author

Could you review this, @dkulp , @iemejia , @martin-g ?

@iemejia iemejia self-requested a review January 5, 2023 20:02
@dongjoon-hyun
Copy link
Member Author

Thank you, @martin-g and @iemejia .

@iemejia
Copy link
Member

iemejia commented Jan 5, 2023

One question @dongjoon-hyun I am kind of new in the SBOM world but looking around it seems like there are like 3 big standards, any reason to choose the Cyclone one over SPDX (which seems to be the one being pushed by the Linux Foundation)? I am ok with merging this as it is, just curious. Better to have one that none :)

I am also wondering what other Apache projects use. Just from a quick look it seems not even Log4j with all the mess of the last year is publishing their SBOM and there are not recommendations yet from the security group at the ASF

@dongjoon-hyun
Copy link
Member Author

dongjoon-hyun commented Jan 6, 2023
edited

Yes, among those three standards, CycloneDX and SPDX formats are proper for us and Maven plugins exist in the same way.

Although this PR delivers CycloneDX-style BOM files first, we may want to add SDPX-style BOM files additionally later. They are not exclusive. The reason why I choose CycloneDX is that it's simpler and focuses on mostly for application security and supply-chain component analysis, @iemejia . This fits my needs first.

@dongjoon-hyun
Copy link
Member Author

dongjoon-hyun commented Jan 6, 2023
edited

For the second question, I also searched some references in ASF foundation, but I could not find any. So, I'm proposing and leading in the following way, @iemejia .

iemejia
iemejia approved these changes Jan 6, 2023
View reviewed changes
Copy link
Member

@iemejia iemejia left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Excellent initiative @dongjoon-hyun! For future ref if someone tumbles into this PR/ticket there is ongoing discussion at the ASF about a possible standard for SBOM so this might evolve/change in the future.
https://cwiki.apache.org/confluence/display/COMDEV/SBOM

@iemejia iemejia changed the title AVRO-3700: Publish SBOM artifacts AVRO-3700: Publish Java SBOM artifacts with CycloneDX Jan 6, 2023
@iemejia iemejia merged commit 82fc40b into apache:master Jan 6, 2023
@iemejia iemejia mentioned this pull request Jan 6, 2023
Merged
@dongjoon-hyun
Copy link
Member Author

Oh, thank you for that info. @iemejia

@nielsbasjes nielsbasjes mentioned this pull request Feb 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iemejia iemejia iemejia approved these changes

@martin-g martin-g martin-g approved these changes

Assignees
No one assigned
Labels
build
Projects
None yet
Milestone
No milestone
3 participants
@dongjoon-hyun @iemejia @martin-g