Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM actuator endpoint doesn't work in a native image #40939

Closed
mhalbritter opened this issue May 29, 2024 · 3 comments
Closed

SBOM actuator endpoint doesn't work in a native image #40939

mhalbritter opened this issue May 29, 2024 · 3 comments
Assignees
@mhalbritter
Labels
theme: aot An issue related to Ahead-of-time processing type: bug A general bug
Milestone
3.3.1

Comments

@mhalbritter
Copy link
Contributor

No description provided.

@mhalbritter mhalbritter added type: bug A general bug theme: aot An issue related to Ahead-of-time processing labels May 29, 2024
@mhalbritter mhalbritter added this to the 3.3.x milestone May 29, 2024
@mhalbritter mhalbritter self-assigned this May 29, 2024
@mhalbritter
Copy link
Contributor Author

mhalbritter commented May 29, 2024
edited
Loading

We need to register the missing resource hints, e.g. like this:

class SbomHints implements RuntimeHintsRegistrar {
    private static final List<String> DEFAULT_APPLICATION_SBOM_LOCATIONS = List.of("classpath:META-INF/sbom/bom.json", "classpath:META-INF/sbom/application.cdx.json");

    @Override
    public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
        for (String location : DEFAULT_APPLICATION_SBOM_LOCATIONS) {
            hints.resources().registerPattern(location.replace("classpath:", ""));
        }
    }
}

However, this isn't enough. When using Gradle, the bootJar task is configured to include the SBOM from $buildDir/reports into META-INF/sbom/application.cdx.json. But we invoke native-image with the plain jar file, not the uber jar. This can be fixed with this Gradle snippet, however this might not be the best way:

jar {
	dependsOn(':cyclonedxBom')
	from(project.layout.buildDirectory.dir('reports')) {
		include('application.cdx.json') into 'META-INF/sbom'
	}
}

For Maven, registering the resource hints is enough.

@mhalbritter
Copy link
Contributor Author

Might be related to #40890.

@mhalbritter
Copy link
Contributor Author

Got something in https://github.com/mhalbritter/spring-boot/tree/mh/40890-react-to-cyclonedx-gradle-plugin-application.

@mhalbritter mhalbritter modified the milestones: 3.3.x, 3.3.1 Jun 11, 2024
@Netyyyy Netyyyy mentioned this issue Jun 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mhalbritter mhalbritter

Labels
theme: aot An issue related to Ahead-of-time processing type: bug A general bug
Projects
None yet
Milestone
3.3.1
Development

No branches or pull requests
1 participant
@mhalbritter