Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SBOMs #139

Merged
merged 3 commits into from
Nov 25, 2024
Merged

Create SBOMs #139

merged 3 commits into from
Nov 25, 2024

Conversation

rpoet-jh
Copy link
Contributor

@rpoet-jh rpoet-jh commented Nov 21, 2024

This PR adds configuration so SBOMs are created for each module in pass-support. The SBOMs are created as part of the maven build lifecycle. The SBOM is saved in target/classes/META-INF/sbom/application.cdx.json in the module that declares the cyclonedx plugin.

The follow modules will create an SBOM file:

  • pass-data-client
  • pass-deposit-services/deposit-core
  • pass-grant-loader
  • pass-journal-loader/pass-journal-loader-nih
  • pass-nihms-loader/nihms-data-harvest
  • pass-nihms-loader/nihms-data-transform-load
  • pass-notification-services

Essentially, for each deployable component, there will be an SBOM.

Note that the SBOM file will also publish to maven central/snapshots with associated artifacts.

I used the sbom-utility to validate each SBOM.

Other note about <includeTools>false</includeTools> in the repackage plugin. I noticed a spring-boot-jarmode-tools jar file being included in the uber jar, and I didn't know what it was. After research, I don't think we need it, so I excluded it with the change. https://docs.spring.io/spring-boot/maven-plugin/packaging.html#packaging.examples.layered-archive-tools

This PR is dependent on the main PR: eclipse-pass/main#1086. To test this PR, first checkout that PR and mvn clean install, then you can run mvn clean install on this PR.

@rpoet-jh rpoet-jh requested a review from markpatton November 21, 2024 18:44
@rpoet-jh rpoet-jh self-assigned this Nov 21, 2024
Copy link
Contributor

@markpatton markpatton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested locally and looked through the SBOMs.

@rpoet-jh rpoet-jh merged commit fad38bf into main Nov 25, 2024
2 checks passed
@rpoet-jh rpoet-jh deleted the rdp-767-create-sbom branch January 16, 2025 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants