Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cyclonedx-lib build and --create-sbom option #2805

Merged
merged 2 commits into from
Dec 17, 2021
Merged

Add cyclonedx-lib build and --create-sbom option #2805

merged 2 commits into from
Dec 17, 2021

Conversation

andrew-m-leonard
Copy link
Contributor

@andrew-m-leonard andrew-m-leonard commented Dec 16, 2021
edited
Loading

Download the necessary CycloneDX libraries and dependencies, and build a TemurinGenSBOM.java app framework.
Added a new BUILD_ARGS --create-sbom, default is "false", which when set builds the library and invokes TemurinGenSBOM at the end of the build.

CycloneDX and dependent libraries and licenses:
cyclonedx-core-java : v5.0.4 : Apache License, Version 2.0
jackson-core : v2.12.4 : Apache License, Version 2.0
jackson-dataformat-xml : v2.12.4 : Apache License, Version 2.0
jackson-databind : v2.12.4 : Apache License, Version 2.0
jackson-annotations : v2.12.4 : Apache License, Version 2.0
json-schema-validator : v1.0.58 : Apache License, Version 2.0
commons-codec : v1.15 : Apache License, Version 2.0
commons-io : v2.11.0 : Apache License, Version 2.0
github-package-url : v1.4.0 : MIT License

TemurinGenSOM is currently just a dummy implementation, that prints the args and creates a dummy test SBOM.

Signed-off-by: Andrew Leonard [email protected]

@andrew-m-leonard andrew-m-leonard self-assigned this Dec 16, 2021
@andrew-m-leonard andrew-m-leonard force-pushed the cyclonedx branch 5 times, most recently from e05e13a to f38b344 Compare December 16, 2021 20:32
@andrew-m-leonard
Copy link
Contributor Author

run with --create-sbom: https://ci.adoptopenjdk.net/view/work-in-progress/job/andrew-cyclonedx/27/console

20:45:18  TemurinGenSBOM: --create temurin_sbom.json --name "Temurin SBOM" --version "1.2.3" --type "application" --author "Adoptium"
20:45:19  SBOM: {
20:45:19    "bomFormat" : "CycloneDX",
20:45:19    "specVersion" : "1.3",
20:45:19    "version" : 1,
20:45:19    "components" : [
20:45:19      {
20:45:19        "author" : "Adoptium",
20:45:19        "name" : "TestComponent",
20:45:19        "version" : "1.0.0",
20:45:19        "type" : "application"
20:45:19      }
20:45:19    ]
20:45:19  }

@andrew-m-leonard
Copy link
Contributor Author

run tests

@github-actions github-actions bot added the testing Issues that enhance or fix our test suites label Dec 16, 2021
@github-actions github-actions bot added testing Issues that enhance or fix our test suites and removed testing Issues that enhance or fix our test suites labels Dec 16, 2021
@andrew-m-leonard andrew-m-leonard added reproducible-build and removed testing Issues that enhance or fix our test suites labels Dec 16, 2021
smlambert
smlambert approved these changes Dec 16, 2021
View reviewed changes
Copy link
Contributor

@smlambert smlambert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (posed a question, but its not meant as a blocking question?)

@andrew-m-leonard
Copy link
Contributor Author

@smlambert thanks. Did you submit the review comment? I can't see the question?

@github-actions github-actions bot added the testing Issues that enhance or fix our test suites label Dec 17, 2021
sxa
sxa reviewed Dec 17, 2021
View reviewed changes
sbin/build.sh Outdated Show resolved Hide resolved
sbin/build.sh Show resolved Hide resolved
sbin/build.sh Outdated Show resolved Hide resolved
@github-actions github-actions bot added testing Issues that enhance or fix our test suites and removed testing Issues that enhance or fix our test suites labels Dec 17, 2021
sxa
sxa approved these changes Dec 17, 2021
View reviewed changes
Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks - as you said we can revisit if necessary in the future, but I think it is cleaner this way

@andrew-m-leonard andrew-m-leonard merged commit 6a577e0 into adoptium:master Dec 17, 2021
@andrew-m-leonard andrew-m-leonard mentioned this pull request Dec 17, 2021
Closed
@smlambert
Copy link
Contributor

Hmm, thought I submitted it, but it was a question on how generic can the class be...
Whether it could be used by those who use our builds scripts as currently nothing in the class would need to be specific to Temurin (are passed in as cmds arg for specific Temurin SBOM) in which case is the Temurin specific name needed?

@andrew-m-leonard
Copy link
Contributor Author

Hmm, thought I submitted it, but it was a question on how generic can the class be... Whether it could be used by those who use our builds scripts as currently nothing in the class would need to be specific to Temurin (are passed in as cmds arg for specific Temurin SBOM) in which case is the Temurin specific name needed?

@smlambert ah yes, I did wonder about the "name" myself for that reason... kept Temurin in the name as it's in a repo called temurin-build ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sxa sxa sxa approved these changes

@smlambert smlambert smlambert approved these changes

Assignees

@andrew-m-leonard andrew-m-leonard

Labels
reproducible-build testing Issues that enhance or fix our test suites
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrew-m-leonard @smlambert @sxa