New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-41893][BUILD] Publish SBOM artifacts #39401
Conversation
cc @srowen and @HyukjinKwon |
Ah, it seems that I missed some failures. I convert this as
|
The PR is ready for review now. Could you review when you have some time? |
Seems fine to me. I'm not sure if the maven release plugin will also push this to Maven Central, but maybe that's not essential. Do the files look plausible, like they appear to contain the transitive dependencies and more or less match what's in the "deps" files in the repo? |
Thank you, @srowen .
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So it basically generates aggregate of dependencies as xml
and json
files and attaches into jar files, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on the context, looks good to me.
Looks good but maybe wait for a while for others to chime in if they have some opinions. |
Yes, right. Thank you, @viirya .
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me too.
Thank you, @sunchao |
Thank you all. Let me merge this. |
We can see the published SBOM tomorrow after tomorrow's snapshot publishing. |
Thanks @dongjoon-hyun ! |
What changes were proposed in this pull request?
This PR aims to publish
SBOM
artifacts.Why are the changes needed?
Here is an article to give some context.
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).
This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
For example,
spark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
andspark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.json
files are attached tospark-tags_2.12-3.4.0-SNAPSHOT.jar
.Does this PR introduce any user-facing change?
Yes, but dev-only changes.
How was this patch tested?
Manually test.