SOLR-16796: Add Maven SBOMs via cyclonedx #1203
Conversation
|
@raboof I pushed a change to your PR branch that moves the logic to |
|
@gus-asf you may find this idea interesting ;-) |
|
We should create a JIRA for this btw. |
raboof
force-pushed
the
gradle-cyclonedx-sbom
branch
from
7599de8 to
5a6bac6
Compare
raboof
changed the title
Created https://issues.apache.org/jira/browse/SOLR-16796 There's probably more to improve from here, such as:
.. but this might already be a nice start. |
| includeBomSerialNumber = true | ||
| } | ||
|
|
||
| // Unless explicitly enabled, do not attach owasp to check. It has a large download |
There was a problem hiding this comment.
What does CycloneDX have to do with OWASP? What checking/verification does cyclonedxBom do?
There was a problem hiding this comment.
It helps you to build a bom.xml/json file so you can evaluate that file later on Sonatype Lifecycle and see your app vulnerabilities.
|
This PR had no visible activity in the past 60 days, labeling it as stale. Any new activity will remove the stale label. To attract more reviewers, please tag someone or notify the [email protected] mailing list. Thank you for your contribution! |
|
I'm positive to including this as a first step and then proceeding with publishing SBOM as a release artifact as proposed. |
|
Ok, so I've changed this to create and SBOM for each of our maven artifacts, and they are included in what will be uploaded to maven central. So far there is no solr-wide sbom (for either the full tgz or the slim tgz), but that is kind of a nightmare to do with the cyclonedx gradle plugin. It would be much easier if we could use syft to generate an sbom from the resulting tgz(s). But maybe this is a problem to solve later and we take the first win? |
|
Thanks @HoustonPutman . I think this would be a good first step considering we've been stuck with this for a while. |
HoustonPutman
changed the title
Co-authored-by: Kevin Risden <[email protected]> Co-authored-by: Houston Putman <[email protected]> (cherry picked from commit a42c605)
This reverts commit a42c605.
This reverts commit 392b628.
Co-authored-by: Kevin Risden <[email protected]> Co-authored-by: Houston Putman <[email protected]>
This draft PR shows one way to generate an SBOM for Solr, mostly for discussion at https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz . If we want to take this further I'll create a JIRA issue and fill out the rest of the PR template ;).
(I haven't looked in depth at the quality of the output yet, as at this point I just wanted a starting point for experimenting with VEX)
https://issues.apache.org/jira/browse/SOLR-16796
Description
It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.
Such consumers of the SBOM should probably combine it with the VEX published for Solr (https://solr.apache.org/security.html#vex) to avoid getting reports for known false positives.
Solution
Introduce the org.cyclonedx.bom plugin which helps with generating SBOM's for the build products.
Checklist
Please review the following and check all that apply:
mainbranch../gradlew check.