-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ORC-1342: Publish SBOM artifacts #1353
Conversation
cc @omalley , @williamhyun , @wgtmac , @guiyanakuang, @stiga-huang , @pavibhai |
Just curious: is it relevant to BOM of maven? |
No, it's not. While Maven BOM pom is designed like the following, this PR is simply providing additional manifest.
|
Here is the context. Let me add this link to the PR description too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dongjoon-hyun!
LGTM +1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 LGTM. Thank you, @dongjoon-hyun
Thank you, @wgtmac and @guiyanakuang . |
### What changes were proposed in this pull request? This PR aims to publish `SBOM` artifacts. ### Why are the changes needed? Here is an article to give some context. - https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/ Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/). This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following. ``` $ tree ~/.m2/repository/org/apache/orc/orc-core /Users/dongjoon/.m2/repository/org/apache/orc/orc-core ├── 1.9.0-SNAPSHOT │ ├── _remote.repositories │ ├── maven-metadata-apache.snapshots.xml │ ├── maven-metadata-apache.snapshots.xml.sha1 │ ├── maven-metadata-local.xml │ ├── orc-core-1.9.0-20230103.231254-184.jar │ ├── orc-core-1.9.0-20230103.231254-184.jar.sha1 │ ├── orc-core-1.9.0-20230103.231254-184.pom │ ├── orc-core-1.9.0-20230103.231254-184.pom.sha1 │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml │ ├── orc-core-1.9.0-SNAPSHOT-nohive.jar │ ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar │ ├── orc-core-1.9.0-SNAPSHOT-sources.jar │ ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar │ ├── orc-core-1.9.0-SNAPSHOT-tests.jar │ ├── orc-core-1.9.0-SNAPSHOT.jar │ ├── orc-core-1.9.0-SNAPSHOT.pom │ └── resolver-status.properties └── maven-metadata-local.xml ``` ### How was this patch tested? After installing locally and check the `*cyclonedx.*` files. ``` $ mvn install -DskipTests ``` Closes #1353 from dongjoon-hyun/ORC-1342. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit ef775fb) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
### What changes were proposed in this pull request? This PR aims to publish `SBOM` artifacts. ### Why are the changes needed? Here is an article to give some context. - https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/ Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/). This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following. ``` $ tree ~/.m2/repository/org/apache/orc/orc-core /Users/dongjoon/.m2/repository/org/apache/orc/orc-core ├── 1.9.0-SNAPSHOT │ ├── _remote.repositories │ ├── maven-metadata-apache.snapshots.xml │ ├── maven-metadata-apache.snapshots.xml.sha1 │ ├── maven-metadata-local.xml │ ├── orc-core-1.9.0-20230103.231254-184.jar │ ├── orc-core-1.9.0-20230103.231254-184.jar.sha1 │ ├── orc-core-1.9.0-20230103.231254-184.pom │ ├── orc-core-1.9.0-20230103.231254-184.pom.sha1 │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml │ ├── orc-core-1.9.0-SNAPSHOT-nohive.jar │ ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar │ ├── orc-core-1.9.0-SNAPSHOT-sources.jar │ ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar │ ├── orc-core-1.9.0-SNAPSHOT-tests.jar │ ├── orc-core-1.9.0-SNAPSHOT.jar │ ├── orc-core-1.9.0-SNAPSHOT.pom │ └── resolver-status.properties └── maven-metadata-local.xml ``` ### How was this patch tested? After installing locally and check the `*cyclonedx.*` files. ``` $ mvn install -DskipTests ``` Closes #1353 from dongjoon-hyun/ORC-1342. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit ef775fb) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 Late LGTM
It looks great!
### What changes were proposed in this pull request? This PR aims to publish `SBOM` artifacts. ### Why are the changes needed? Here is an article to give some context. - https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/ Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/). This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following. ``` $ tree ~/.m2/repository/org/apache/orc/orc-core /Users/dongjoon/.m2/repository/org/apache/orc/orc-core ├── 1.9.0-SNAPSHOT │ ├── _remote.repositories │ ├── maven-metadata-apache.snapshots.xml │ ├── maven-metadata-apache.snapshots.xml.sha1 │ ├── maven-metadata-local.xml │ ├── orc-core-1.9.0-20230103.231254-184.jar │ ├── orc-core-1.9.0-20230103.231254-184.jar.sha1 │ ├── orc-core-1.9.0-20230103.231254-184.pom │ ├── orc-core-1.9.0-20230103.231254-184.pom.sha1 │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml │ ├── orc-core-1.9.0-SNAPSHOT-nohive.jar │ ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar │ ├── orc-core-1.9.0-SNAPSHOT-sources.jar │ ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar │ ├── orc-core-1.9.0-SNAPSHOT-tests.jar │ ├── orc-core-1.9.0-SNAPSHOT.jar │ ├── orc-core-1.9.0-SNAPSHOT.pom │ └── resolver-status.properties └── maven-metadata-local.xml ``` ### How was this patch tested? After installing locally and check the `*cyclonedx.*` files. ``` $ mvn install -DskipTests ``` Closes apache#1353 from dongjoon-hyun/ORC-1342. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
What changes were proposed in this pull request?
This PR aims to publish
SBOM
artifacts.Why are the changes needed?
Here is an article to give some context.
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).
This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
For example,
orc-core-1.9.0-SNAPSHOT-cyclonedx.json
andorc-core-1.9.0-SNAPSHOT-cyclonedx.xml
are attached like the following.How was this patch tested?
After installing locally and check the
*cyclonedx.*
files.