-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HBASE-27562 Publish SBOM artifacts #4953
Conversation
Could you review this, @ndimiduk , @huaxiangsun ? |
💔 -1 overall
This message was automatically generated. |
Please run |
💔 -1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
Thank you, @Apache9 . I did |
🎊 +1 overall
This message was automatically generated. |
FYI @dongjoon-hyun most of HBase's dependencies are masked behind the hbase-thirdparty libraries. For full utility, I suspect that we'll need that project to also publish sbom. |
Okay this is a problem.
Is there a newer version of this plugin that supports multi-threaded builds? |
Looks like not yet, CycloneDX/cyclonedx-maven-plugin#77 |
Have you explored the Apache release process for the resulting artifacts. Does the release manager need to do anything special with the attached artifacts in order to publish them properly? |
🎊 +1 overall
This message was automatically generated. |
Thank you for review, @ndimiduk . This activity focuses on publishing SBOMs of the Maven Central jars. |
🎊 +1 overall
This message was automatically generated. |
Let me test locally. |
This is what I've gotten in the local staging dir by running command
Seems fine, we will publish the sbom files along with other files, no more works needed. And as @ndimiduk have already pointed out, for hbase-thirdparty there is a problem that, we shade and relocate other libraries so we will miss the information when others depend on hbase-thirdparty. But anyway, I think this can be improved later. |
Thank you so much, @Apache9! |
Going to merge this later unless objections. Thanks. |
Signed-off-by: Duo Zhang <zhangduo@apache.org> (cherry picked from commit 5feb06b)
Signed-off-by: Duo Zhang <zhangduo@apache.org> (cherry picked from commit 5feb06b)
Signed-off-by: Duo Zhang <zhangduo@apache.org> (cherry picked from commit 5feb06b)
Thank you all! |
This PR aims to publish SBOM artifacts along with the other Apache projects.
Here is an article to give some context.
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).
We can use one of the Maven plugin, CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
https://maven.apache.org/plugins/index.html#misc
The expected results