-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FLINK-30578][build] Publish SBOM artifacts #21606
Conversation
cc @gyfora , @mbalassi , @morhidi, @gaborgsomogyi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @dongjoon-hyun. Just to make sure that I understand correctly do these BOM files get automatically published on maven deploy?
Thank you for merging, @mbalassi ! |
Thanks, @dongjoon-hyun. Works like a charm: |
What is the purpose of the change
This PR aims to publish SBOM artifacts.
Here is an article to give some context.
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).
This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
Brief change log
cyclonedx-maven-plugin
pluginVerifying this change
Each
jar
file will have two corresponding files,xxx-cyclonedx.xml
andxxx-cyclonedx.json
, like the following.Does this pull request potentially affect one of the following parts:
@Public(Evolving)
: NoDocumentation