BOM and Compatibility Matrix Implementation #55
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit implements Bill of Materials (BOM) and Software Bill of Materials (SBOM) generation to support supply chain security, compliance, and transparency requirements. Changes: - Add scripts/generate-bom.sh to extract and generate BOM in multiple formats - Text format (human-readable) - YAML format (Kubernetes-friendly) - JSON format (CycloneDX standard) - Add Makefile target 'generate-bom' for local BOM generation - Update release workflow to automatically generate BOM and SBOM: - Custom BOM tracking all managed container images - SBOM in CycloneDX, SPDX, and Syft formats using Anchore Syft - Include BOM/SBOM files in GitHub release artifacts - Update release notes template to document BOM/SBOM availability - Add comprehensive documentation in docs/bill-of-materials.md - Add RELATED_IMAGE_SAIA_API to .env file (was missing) Benefits: - Supply chain security (SLSA, SSDF, EO 14028 compliance) - Vulnerability management with SBOM-based scanners - License compliance and audit trail - Clear inventory of all deployed container images - Integration with security tools (Grype, Trivy, Dependency-Track) Release artifacts now include: - bom-vX.Y.Z.txt (human-readable BOM) - bom-vX.Y.Z.yaml (Kubernetes-friendly BOM) - bom-vX.Y.Z.json (CycloneDX BOM) - sbom-operator-vX.Y.Z.cyclonedx.json (SBOM) - sbom-operator-vX.Y.Z.spdx.json (SBOM) - sbom-operator-vX.Y.Z.syft.json (SBOM) 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
Include Kubernetes and Go versions in Bill of Materials for better dependency tracking and compatibility information. Changes: - Extract K8S version from EKS_CLUSTER_K8_VERSION or KUBECTL_VERSION - Extract GO_VERSION from .env file - Include versions in all BOM formats (JSON, YAML, text) This helps users understand: - Which Kubernetes version the operator was tested/validated against - Which Go version was used to build the operator - Compatibility matrix for deployments 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
Include Splunk Enterprise release version and image in Bill of Materials to track compatibility with Splunk platform. Changes: - Extract Splunk Enterprise version from SPLUNK_ENTERPRISE_RELEASE_IMAGE - Include both version (e.g., 9.4.1) and full image reference - Update all BOM formats (JSON, YAML, text) with Splunk Enterprise info This provides clear visibility into which Splunk Enterprise version the operator release is compatible with, supporting: - Version compatibility matrix - Deployment planning - Support troubleshooting - Compliance documentation Example output: Splunk Enterprise: 9.4.1 Splunk Enterprise Image: splunk/splunk:9.4.1 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive compatibility matrix file and track Splunk Operator for Kubernetes version in BOM metadata. Changes: - Add compatibility-matrix.yaml with structured version compatibility - Platform requirements (Kubernetes, Go, Splunk Enterprise) - Splunk Operator for Kubernetes version (3.0.0) - Required services (cert-manager, vault-injector) - Managed components with versions and images - Inter-operator dependencies - Upgrade paths and known issues - Testing environments and validation criteria - Update BOM generation to include Splunk Operator version - Extract SPLUNK_OPERATOR_FOR_KUBERNETES from .env - Include in JSON, YAML, and text BOM formats - Add annotation referencing compatibility-matrix.yaml - Update release workflow to include compatibility-matrix.yaml - Add SPLUNK_OPERATOR_FOR_KUBERNETES=3.0.0 to .env Benefits: - Clear version compatibility documentation - Easy to maintain and update per release - Machine-readable format for validation - Supports upgrade planning and testing - Provides comprehensive dependency tracking The BOM and compatibility matrix work together: - BOM: "What's included in this release" - Compatibility Matrix: "What works with what" 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
Update supported Splunk Enterprise version to 10.2.0 across .env file and compatibility matrix. Changes: - Update SPLUNK_ENTERPRISE_RELEASE_IMAGE to splunk/splunk:10.2.0 - Update RELATED_IMAGE_SPLUNK_ENTERPRISE to splunk/splunk:10.2.0 - Update compatibility matrix to include 10.2.0 as recommended version - Maintain backwards compatibility with 9.2.3+ versions - Update maxVersion range to 10.2.99 The BOM will now automatically reflect: Splunk Enterprise: 10.2.0 Splunk Enterprise Image: splunk/splunk:10.2.0 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
Copilot finished reviewing on behalf of
vivekr-splunk
November 18, 2025 19:56
There was a problem hiding this comment.
Pull Request Overview
This PR implements a comprehensive Bill of Materials (BOM) and Software Bill of Materials (SBOM) system to enhance supply chain security, compliance tracking, and version management for the Splunk AI Operator.
Key Changes:
- Automated BOM generation script that tracks all container images deployed by the operator in multiple formats (TXT, YAML, JSON/CycloneDX)
- SBOM generation integration using Anchore Syft in CycloneDX, SPDX, and Syft native formats
- Comprehensive compatibility matrix documenting platform requirements, managed components, and version dependencies
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/generate-bom.sh |
New bash script that extracts container images from .env and generates BOM in three formats (TXT, YAML, CycloneDX JSON) |
docs/bill-of-materials.md |
Comprehensive user documentation covering BOM/SBOM access, verification, security scanning, and compliance use cases |
compatibility-matrix.yaml |
Structured YAML defining supported Kubernetes versions, platform dependencies, managed component versions, and upgrade paths |
BOM_IMPLEMENTATION.md |
Technical implementation guide documenting BOM generation, file formats, integration points, and maintenance procedures |
Makefile |
Added generate-bom target for local BOM generation with version parameter |
.github/workflows/release-package-helm.yml |
Enhanced release workflow with BOM/SBOM generation steps and inclusion of 10 new artifacts (3 BOM formats, 3 SBOM formats, 1 compatibility matrix) |
.env |
Updated Splunk Enterprise version to 10.2.0, added missing SAIA_API image reference, and added Splunk Operator for Kubernetes version |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "" | ||
| echo "SBOM Statistics:" | ||
| jq '.artifacts | length' dist/sbom-operator-v$VERSION.syft.json || echo "SBOM contains package inventory" |
There was a problem hiding this comment.
The jq command .artifacts | length may fail depending on the Syft JSON schema version. The Syft native JSON format structure can vary between versions. Consider using a more robust approach like jq -r '.artifacts // .packages // [] | length' to handle different schema versions, or simply remove the statistics output if it's not critical.
Suggested change
| jq '.artifacts | length' dist/sbom-operator-v$VERSION.syft.json || echo "SBOM contains package inventory" | |
| jq -r '.artifacts // .packages // [] | length' dist/sbom-operator-v$VERSION.syft.json || echo "SBOM contains package inventory" |
scripts/generate-bom.sh
Outdated
| "type": "container", | ||
| "name": "${name}", | ||
| "version": "${image_tag}", | ||
| "purl": "pkg:docker/${image_name}@${image_tag}", |
There was a problem hiding this comment.
The Package URL (PURL) format for Docker images should use : as the version separator, not @. The correct format is pkg:docker/${image_name}:${image_tag} or for digest-based references pkg:docker/${image_name}@sha256:.... Currently using @ with a tag will not conform to the PURL specification.
compatibility-matrix.yaml
Outdated
| deprecationPolicy: | ||
| kubernetesVersions: "Support kubernetes versions N-3 (current and 3 previous minor versions)" | ||
| componentVersions: "Support component versions for 12 months after release" | ||
| noticePerio: "90 days notice before deprecating support" |
There was a problem hiding this comment.
Spelling error: "noticePerio" should be "noticePeriod".
Suggested change
| noticePerio: "90 days notice before deprecating support" | |
| noticePeriod: "90 days notice before deprecating support" |
Comment on lines
+142
to
+145
| - version: "1.9.6" | ||
| status: recommended | ||
| releaseDate: "2023-Q3" | ||
| image: "fluent/fluent-bit:1.9.6" |
There was a problem hiding this comment.
Fluent Bit version 1.9.6 is from 2023-Q3, which is quite old. Consider updating to a more recent version for security patches and bug fixes. As of 2024, Fluent Bit has newer stable releases (e.g., 2.x or later 1.x versions).
Suggested change
| - version: "1.9.6" | |
| status: recommended | |
| releaseDate: "2023-Q3" | |
| image: "fluent/fluent-bit:1.9.6" | |
| - version: "2.2.2" | |
| status: recommended | |
| releaseDate: "2024-Q2" | |
| image: "fluent/fluent-bit:2.2.2" | |
| notes: "Latest tested and recommended version for security and stability" |
Pull Request Test Coverage Report for Build 19480051919Details
💛 - Coveralls |
Fix issues identified by GitHub Copilot code review:
1. **SBOM Statistics (release-package-helm.yml)**
- Make jq command more robust to handle different Syft schema versions
- Use '.artifacts // .packages // []' to support multiple schema formats
- Prevents failures if Syft changes schema structure
2. **PURL Format (generate-bom.sh)**
- Fix Package URL format for Docker images
- Change from 'pkg:docker/${image_name}@${image_tag}' to 'pkg:docker/${image_name}:${image_tag}'
- Conforms to PURL specification (use ':' for tags, '@' for digests)
- Example: pkg:docker/ghcr.io/splunk/splunk-ai-operator:v0.1.0
3. **Spelling Error (compatibility-matrix.yaml)**
- Fix typo: "noticePerio" → "noticePeriod"
4. **Fluent Bit Version Note (compatibility-matrix.yaml)**
- Add note explaining 1.9.6 is validated stable version
- Version matches what's defined in .env file
All issues now resolved and compliant with standards.
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
Add practical guides showing how to use BOM and compatibility matrix in real-world scenarios. New Documentation: - docs/using-bom-compatibility.md - Complete usage guide with 10 scenarios - docs/bom-quick-reference.md - Quick reference card for common tasks Covers: 1. Pre-deployment compatibility checks 2. Security vulnerability scanning 3. Upgrade planning and version comparison 4. Compliance reporting and audit trails 5. Policy enforcement (registry approval) 6. CI/CD integration examples 7. Continuous CVE monitoring 8. Air-gapped deployment planning 9. Troubleshooting version mismatches 10. Executive summary generation Each scenario includes: - Practical use case description - Step-by-step commands - Expected output examples - Decision criteria Quick reference includes: - Essential commands - Common tasks checklist - Tool installation guide - Pro tips for operations Makes BOM/compatibility matrix immediately actionable for: - Platform engineers (deployment planning) - Security teams (vulnerability scanning) - Compliance teams (audit reporting) - DevOps teams (CI/CD integration) 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
rlieberman-splunk
approved these changes
Nov 18, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements comprehensive Bill of Materials (BOM), Software Bill of Materials (SBOM), and Compatibility Matrix to support supply chain security, compliance, and version management requirements.
Overview
This PR adds three major capabilities:
Changes
1. BOM Generation System
New Files:
scripts/generate-bom.sh- Shell script to extract and generate BOM in multiple formatsdocs/bill-of-materials.md- Comprehensive user guide for BOM/SBOMBOM_IMPLEMENTATION.md- Implementation summary and developer guideBOM Formats:
.txt) - Human-readable format for quick review.yaml) - Kubernetes-friendly, machine-readable format.json) - CycloneDX 1.4 standard format for tool integrationBOM Contents:
New File:
Contents:
Workflow Updates:
New Target:
make generate-bom VERSION=0.1.0
Modified: .github/workflows/release-package-helm.yml
New Steps:
Modified: .env
Release Artifacts
Each release will now include 10 BOM/compatibility files:
Compatibility & Dependency Tracking
Software Bill of Materials
Existing Assets (unchanged)
Benefits
Supply Chain Security
Vulnerability Management
Operational Benefits
Developer Experience
Usage Examples
Generate BOM Locally
make generate-bom VERSION=0.1.0
cat dist/bom-v0.1.0.txt
Download from Release
VERSION="0.1.0"
curl -LO "https://github.com/splunk/splunk-ai-operator/releases/download/v${VERSION}/bom-v${VERSION}.txt"
curl -LO "https://github.com/splunk/splunk-ai-operator/releases/download/v${VERSION}/compatibility-matrix.yaml"
Scan for Vulnerabilities
Using SBOM from release
curl -LO "https://github.com/splunk/splunk-ai-operator/releases/download/v0.1.0/sbom-operator-v0.1.0.cyclonedx.json"
grype sbom:./sbom-operator-v0.1.0.cyclonedx.json
Scan operator image directly
trivy image ghcr.io/splunk/splunk-ai-operator:v0.1.0
Check Compatibility
Download compatibility matrix
curl -LO "https://github.com/splunk/splunk-ai-operator/releases/download/v0.1.0/compatibility-matrix.yaml"
Review supported versions
yq '.platform.kubernetes' compatibility-matrix.yaml
yq '.managedComponents.ray.versions' compatibility-matrix.yaml
Testing
Successfully tested BOM generation locally:
$ ./scripts/generate-bom.sh 0.1.0 dist/
✅ Generated BOM files:
- dist/bom-v0.1.0.json (CycloneDX format)
- dist/bom-v0.1.0.yaml (Kubernetes-friendly YAML)
- dist/bom-v0.1.0.txt (Human-readable text)
Summary of images included in v0.1.0:
operator: ghcr.io/splunk/splunk-ai-operator:v0.1.0
splunk-enterprise: splunk/splunk:10.2.0
ray-head: ...ray-head:build-5
ray-worker: ...ray-worker-gpu:build-6
weaviate: semitechnologies/weaviate:stable-v1.28-007846a
saia-api: ...saia-api:build-1
post-install-hook: ...ai-helm-post-hook:0.0.5
fluent-bit: fluent/fluent-bit:1.9.6
Total images: 8
Documentation
New Documentation
Integration with Existing Systems
Compatibility with Artifact Hub
The BOM references are compatible with the existing artifacthub-repo.yml configuration. The compatibility matrix provides additional metadata that can be referenced from Artifact Hub.
Workflow Integration
All BOM/SBOM generation is automated in the release workflow:
Maintenance
Updating Versions
To update component versions for a new release:
Example: Update Ray to 2.45.0
RELATED_IMAGE_RAY_HEAD=...ray-head:build-7
RELATED_IMAGE_RAY_WORKER=...ray-worker-gpu:build-8
RAY_VERSION=2.45.0
2. Update compatibility-matrix.yaml:
managedComponents:
ray:
versions:
- version: "2.45.0"
status: recommended
images:
head: "...ray-head:build-7"
worker: "...ray-worker-gpu:build-8"
3. BOM automatically updates on next release!
Standards Compliance
Breaking Changes
None. This is purely additive - new files and capabilities with no changes to existing functionality.
Checklist
Related Issues
Supports supply chain security and compliance initiatives for OSS release preparation.
Screenshots
================================================================================
Bill of Materials (BOM)
Splunk AI Operator v0.1.0
Generated: 2025-11-18T19:48:28Z
OPERATOR IMAGE
ghcr.io/splunk/splunk-ai-operator:v0.1.0
MANAGED CONTAINER IMAGES
splunk-enterprise: splunk/splunk:10.2.0
ray-head: ...ray-head:build-5
ray-worker: ...ray-worker-gpu:build-6
weaviate: semitechnologies/weaviate:stable-v1.28-007846a
...
DEPENDENCY VERSIONS
Model Version: v0.3.14-36-g1549f5a
Ray Version: 2.44.0
Kubernetes Version: 1.31
Go Version: 1.23.0
Splunk Enterprise: 10.2.0
Splunk Operator for Kubernetes: 3.0.0
apiVersion: operator.splunk.com/v1
kind: CompatibilityMatrix
metadata:
name: splunk-ai-operator
version: 0.1.0
platform:
kubernetes:
minVersion: "1.28.0"
maxVersion: "1.31.99"
tested: ["1.28", "1.29", "1.30", "1.31"]
managedComponents:
ray:
versions:
- version: "2.44.0"
status: recommended
images:
head: "...ray-head:build-5"
worker: "...ray-worker-gpu:build-6"