-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SBOMs for ASF application binary distributions #35
Comments
As my initial scan shows the Maven Assembly Plugin is the most common way to create binary application distributions. The CycloneDX Maven Plugin and SPDX Maven Plugin should probably have some special support for the Assembly plugin to generate an appropriate SBOM. In CycloneDX the application should probably be represented as a CycloneDX assembly of libraries. What do you think? |
(linking CycloneDX/cyclonedx-maven-plugin#472 and spdx/spdx-maven-plugin#159 here as those issues are not really about |
@ppkarwasz
I have no clue, this is the most important question I never had any clear answer on and could not easily create myself: need to see an example, be it in XML or json @raboof shade adds additional problems to solve: this will be the final issue, but not one we can progress easily. We need to divide to conquer: war, then assembly, then shade -- perhaps we'll find other intermediate steps, I at least know these ones |
@ppkarwasz BTW, in the list of TLPs that do SBOMs, there are a few that do such application binary distributions I did a first test on Maven itself and JSPWiki in #23 with a "check SBOM against binary content" approach, but there are other ones: these ones are interesting because we have an initial SBOM that we can compare with proposed target content |
As an example, currently the Maven binary distribution is represented as (the example has been edited following Arnout's comment): <metadata>
<component type="library" bom-ref="pkg:maven/org.apache.maven/apache-maven@3.9.9?type=pom">
<publisher>The Apache Software Foundation</publisher>
<group>org.apache.maven</group>
<name>apache-maven</name>
<version>3.9.9</version>
<description>
The Apache Maven distribution, source and binary, in zip and tar.gz formats.
</description>
<purl>pkg:maven/org.apache.maven/apache-maven@3.9.9?type=pom</purl>
</component>
</metadata>
<components>
<component type="library" bom-ref="pkg:maven/org.apache.maven/maven-embedder@3.9.9?type=jar">
<publisher>The Apache Software Foundation</publisher>
<group>org.apache.maven</group>
<name>maven-embedder</name>
<version>3.9.9</version>
<description>
Maven embeddable component, with CLI and logging support.
</description>
<purl>pkg:maven/org.apache.maven/maven-embedder@3.9.9?type=jar</purl>
</component>
...
</components>
<dependencies>
<dependency ref="pkg:maven/org.apache.maven/apache-maven@3.9.9?type=pom">
<dependency ref="pkg:maven/org.apache.maven/maven-embedder@3.9.9?type=jar"/>
...
</dependency>
</dependencies> The relation between <metadata>
<component type="application" bom-ref="pkg:maven/org.apache.maven/apache-maven@3.9.9?classifier=bin">
<publisher>The Apache Software Foundation</publisher>
<group>org.apache.maven</group>
<name>apache-maven</name>
<version>3.9.9</version>
<description>
The Apache Maven binary distribution, in zip and tar.gz formats.
</description>
<purl>pkg:maven/org.apache.maven/apache-maven@3.9.9?classifier=bin</purl>
<components>
<component type="library" bom-ref="pkg:maven/org.apache.maven/maven-embedder@3.9.9?type=jar">
<publisher>The Apache Software Foundation</publisher>
<group>org.apache.maven</group>
<name>maven-embedder</name>
<version>3.9.9</version>
<description>
Maven embeddable component, with CLI and logging support.
</description>
<purl>pkg:maven/org.apache.maven/maven-embedder@3.9.9?type=jar</purl>
</component>
...
</components>
</component>
</metadata> Comparing to the current SBOM, the |
Where did you get that? In https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-cyclonedx.xml,
Right - and if |
I took the liberty to "simplify" the example. I edited the example to follow more closely the real structure. |
I'm so surprised to see all the components in the distribution moving from I can't imagine a Docker image doing that for everything that is embedded in the image (I'm trying to compare to other ecosystems, where there is an equivalent embedding) |
I didn't expect that either
That is my understanding, yes
indeed all the tools I'm aware of just put them in the main |
I imagine there is more diversity than what was expected we'll need to have a more interactive discussion with SBOM experts, because it starts to be too complex for our just an issue tracker |
The purpose of this issue is to provide SBOMs for all ASF binary distributions, starting with those that:
These are IMHO the most critical distributions, since users can not easily upgrade vulnerable dependencies without a new release.
The following table contains a list of binary application distributions of various Apache TLPs.
Currently only 10% of the TLPs are included:
The text was updated successfully, but these errors were encountered: