Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ORC-1342: Publish SBOM artifacts #1353

Closed
wants to merge 1 commit into from

Conversation

dongjoon-hyun
Copy link
Member

@dongjoon-hyun dongjoon-hyun commented Jan 5, 2023

What changes were proposed in this pull request?

This PR aims to publish SBOM artifacts.

Why are the changes needed?

Here is an article to give some context.

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).

This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

For example, orc-core-1.9.0-SNAPSHOT-cyclonedx.json and orc-core-1.9.0-SNAPSHOT-cyclonedx.xml are attached like the following.

$ tree ~/.m2/repository/org/apache/orc/orc-core
/Users/dongjoon/.m2/repository/org/apache/orc/orc-core
├── 1.9.0-SNAPSHOT
│   ├── _remote.repositories
│   ├── maven-metadata-apache.snapshots.xml
│   ├── maven-metadata-apache.snapshots.xml.sha1
│   ├── maven-metadata-local.xml
│   ├── orc-core-1.9.0-20230103.231254-184.jar
│   ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
│   ├── orc-core-1.9.0-20230103.231254-184.pom
│   ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
│   ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
│   ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
│   ├── orc-core-1.9.0-SNAPSHOT-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-tests.jar
│   ├── orc-core-1.9.0-SNAPSHOT.jar
│   ├── orc-core-1.9.0-SNAPSHOT.pom
│   └── resolver-status.properties
└── maven-metadata-local.xml

How was this patch tested?

After installing locally and check the *cyclonedx.* files.

$ mvn install -DskipTests

@dongjoon-hyun
Copy link
Member Author

@dongjoon-hyun dongjoon-hyun added this to the 1.7.8 milestone Jan 5, 2023
@wgtmac
Copy link
Member

wgtmac commented Jan 5, 2023

@dongjoon-hyun
Copy link
Member Author

No, it's not. While Maven BOM pom is designed like the following, this PR is simply providing additional manifest.

Other projects that wish to use the library should import this POM into the dependencyManagement section of their POM.

@dongjoon-hyun
Copy link
Member Author

Here is the context. Let me add this link to the PR description too.

Copy link
Member

@wgtmac wgtmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dongjoon-hyun!
LGTM +1

Copy link
Member

@guiyanakuang guiyanakuang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 LGTM. Thank you, @dongjoon-hyun

@dongjoon-hyun
Copy link
Member Author

Thank you, @wgtmac and @guiyanakuang .
Merged to main/1.8/1.7.

dongjoon-hyun added a commit that referenced this pull request Jan 5, 2023
### What changes were proposed in this pull request?

This PR aims to publish `SBOM` artifacts.

### Why are the changes needed?

Here is an article to give some context.
- https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).

This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following.
```
$ tree ~/.m2/repository/org/apache/orc/orc-core
/Users/dongjoon/.m2/repository/org/apache/orc/orc-core
├── 1.9.0-SNAPSHOT
│   ├── _remote.repositories
│   ├── maven-metadata-apache.snapshots.xml
│   ├── maven-metadata-apache.snapshots.xml.sha1
│   ├── maven-metadata-local.xml
│   ├── orc-core-1.9.0-20230103.231254-184.jar
│   ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
│   ├── orc-core-1.9.0-20230103.231254-184.pom
│   ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
│   ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
│   ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
│   ├── orc-core-1.9.0-SNAPSHOT-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-tests.jar
│   ├── orc-core-1.9.0-SNAPSHOT.jar
│   ├── orc-core-1.9.0-SNAPSHOT.pom
│   └── resolver-status.properties
└── maven-metadata-local.xml
```

### How was this patch tested?

After installing locally and check the `*cyclonedx.*` files.
```
$ mvn install -DskipTests
```

Closes #1353 from dongjoon-hyun/ORC-1342.

Authored-by: Dongjoon Hyun <dongjoon@apache.org>
Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
(cherry picked from commit ef775fb)
Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
dongjoon-hyun added a commit that referenced this pull request Jan 5, 2023
### What changes were proposed in this pull request?

This PR aims to publish `SBOM` artifacts.

### Why are the changes needed?

Here is an article to give some context.
- https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).

This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following.
```
$ tree ~/.m2/repository/org/apache/orc/orc-core
/Users/dongjoon/.m2/repository/org/apache/orc/orc-core
├── 1.9.0-SNAPSHOT
│   ├── _remote.repositories
│   ├── maven-metadata-apache.snapshots.xml
│   ├── maven-metadata-apache.snapshots.xml.sha1
│   ├── maven-metadata-local.xml
│   ├── orc-core-1.9.0-20230103.231254-184.jar
│   ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
│   ├── orc-core-1.9.0-20230103.231254-184.pom
│   ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
│   ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
│   ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
│   ├── orc-core-1.9.0-SNAPSHOT-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-tests.jar
│   ├── orc-core-1.9.0-SNAPSHOT.jar
│   ├── orc-core-1.9.0-SNAPSHOT.pom
│   └── resolver-status.properties
└── maven-metadata-local.xml
```

### How was this patch tested?

After installing locally and check the `*cyclonedx.*` files.
```
$ mvn install -DskipTests
```

Closes #1353 from dongjoon-hyun/ORC-1342.

Authored-by: Dongjoon Hyun <dongjoon@apache.org>
Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
(cherry picked from commit ef775fb)
Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
@dongjoon-hyun dongjoon-hyun deleted the ORC-1342 branch January 5, 2023 07:41
Copy link
Member

@williamhyun williamhyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 Late LGTM

It looks great!

cxzl25 pushed a commit to cxzl25/orc that referenced this pull request Jan 11, 2024
### What changes were proposed in this pull request?

This PR aims to publish `SBOM` artifacts.

### Why are the changes needed?

Here is an article to give some context.
- https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).

This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following.
```
$ tree ~/.m2/repository/org/apache/orc/orc-core
/Users/dongjoon/.m2/repository/org/apache/orc/orc-core
├── 1.9.0-SNAPSHOT
│   ├── _remote.repositories
│   ├── maven-metadata-apache.snapshots.xml
│   ├── maven-metadata-apache.snapshots.xml.sha1
│   ├── maven-metadata-local.xml
│   ├── orc-core-1.9.0-20230103.231254-184.jar
│   ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
│   ├── orc-core-1.9.0-20230103.231254-184.pom
│   ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
│   ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
│   ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
│   ├── orc-core-1.9.0-SNAPSHOT-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-tests.jar
│   ├── orc-core-1.9.0-SNAPSHOT.jar
│   ├── orc-core-1.9.0-SNAPSHOT.pom
│   └── resolver-status.properties
└── maven-metadata-local.xml
```

### How was this patch tested?

After installing locally and check the `*cyclonedx.*` files.
```
$ mvn install -DskipTests
```

Closes apache#1353 from dongjoon-hyun/ORC-1342.

Authored-by: Dongjoon Hyun <dongjoon@apache.org>
Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants