This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new f123179c0fe [SPARK-41893][BUILD] Publish SBOM artifacts
f123179c0fe is described below
commit f123179c0fe5517ebe3ed3f9668c3970fb491064
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Thu Jan 5 16:22:48 2023 -0800
[SPARK-41893][BUILD] Publish SBOM artifacts
### What changes were proposed in this pull request?
This PR aims to publish `SBOM` artifacts.
### Why are the changes needed?
Here is an article to give some context.
-
https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/
Software Bill of Materials (SBOM) are additional artifacts containing the
aggregate of all direct and transitive dependencies of a project. The US
Government (based on NIST recommendations) currently accepts only the three
most popular SBOM standards as valid, namely:
[CycloneDX](https://cyclonedx.org/), [Software Identification (SWID)
tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software
Package Data Exchange® (SPDX)](https://spdx.dev/).
This PR uses [CycloneDX maven
plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight
software bill of materials (SBOM) standard designed for use in application
security contexts and supply chain component analysis.
For example, `spark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.xml` and
`spark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.json` files are attached to
`spark-tags_2.12-3.4.0-SNAPSHOT.jar`.
```
$ ls -al ~/.m2/repository/org/apache/spark/spark-tags_2.12/3.4.0-SNAPSHOT
total 2488
drwxr-xr-x 12 dongjoon staff 384 Jan 4 23:36 .
drwxr-xr-x 4 dongjoon staff 128 Jan 4 23:36 ..
-rw-r--r-- 1 dongjoon staff 492 Jan 4 23:36 _remote.repositories
-rw-r--r-- 1 dongjoon staff 1955 Jan 4 23:36
maven-metadata-local.xml
-rw-r--r-- 1 dongjoon staff 16310 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.json
-rw-r--r-- 1 dongjoon staff 14045 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
-rw-r--r-- 1 dongjoon staff 1162027 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT-javadoc.jar
-rw-r--r-- 1 dongjoon staff 16272 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT-sources.jar
-rw-r--r-- 1 dongjoon staff 12453 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT-test-sources.jar
-rw-r--r-- 1 dongjoon staff 10387 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT-tests.jar
-rw-r--r-- 1 dongjoon staff 15181 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT.jar
-rw-r--r-- 1 dongjoon staff 5822 Jan 4 23:36
spark-tags_2.12-3.4.0-SNAPSHOT.pom
```
### Does this PR introduce _any_ user-facing change?
Yes, but dev-only changes.
### How was this patch tested?
Manually test.
```
$ mvn install -DskipTests
...
[INFO]
------------------------------------------------------------------------
[INFO] Reactor Summary for Spark Project Parent POM 3.4.0-SNAPSHOT:
[INFO]
[INFO] Spark Project Parent POM ........................... SUCCESS [
10.501 s]
[INFO] Spark Project Tags ................................. SUCCESS [
12.900 s]
[INFO] Spark Project Sketch ............................... SUCCESS [
24.315 s]
[INFO] Spark Project Local DB ............................. SUCCESS [
25.406 s]
[INFO] Spark Project Networking ........................... SUCCESS [
36.217 s]
[INFO] Spark Project Shuffle Streaming Service ............ SUCCESS [
31.532 s]
[INFO] Spark Project Unsafe ............................... SUCCESS [
33.338 s]
[INFO] Spark Project Launcher ............................. SUCCESS [
19.204 s]
[INFO] Spark Project Core ................................. SUCCESS [05:24
min]
[INFO] Spark Project ML Local Library ..................... SUCCESS [01:20
min]
[INFO] Spark Project GraphX ............................... SUCCESS [01:41
min]
[INFO] Spark Project Streaming ............................ SUCCESS [02:36
min]
[INFO] Spark Project Catalyst ............................. SUCCESS [06:44
min]
[INFO] Spark Project SQL .................................. SUCCESS [07:10
min]
[INFO] Spark Project ML Library ........................... SUCCESS [05:48
min]
[INFO] Spark Project Tools ................................ SUCCESS [
17.132 s]
[INFO] Spark Project Hive ................................. SUCCESS [02:49
min]
[INFO] Spark Project REPL ................................. SUCCESS [
50.149 s]
[INFO] Spark Project Assembly ............................. SUCCESS [
6.706 s]
[INFO] Kafka 0.10+ Token Provider for Streaming ........... SUCCESS [
44.131 s]
[INFO] Spark Integration for Kafka 0.10 ................... SUCCESS [01:08
min]
[INFO] Kafka 0.10+ Source for Structured Streaming ........ SUCCESS [01:45
min]
[INFO] Spark Project Examples ............................. SUCCESS [02:19
min]
[INFO] Spark Integration for Kafka 0.10 Assembly .......... SUCCESS [
11.574 s]
[INFO] Spark Avro ......................................... SUCCESS [01:33
min]
[INFO] Spark Project Connect Common ....................... SUCCESS [
48.653 s]
[INFO] Spark Project Connect Server ....................... SUCCESS [01:28
min]
[INFO] Spark Project Connect Client ....................... SUCCESS [
19.989 s]
[INFO] Spark Protobuf ..................................... SUCCESS [01:24
min]
[INFO]
------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 49:49 min
[INFO] Finished at: 2023-01-05T02:06:51-08:00
[INFO]
------------------------------------------------------------------------
$ tree ~/.m2/repository/org/apache/spark | grep cyclonedx.xml
│ │ ├── spark-avro_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-catalyst_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-connect-client-jvm_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-connect-common_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-connect_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-core_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-graphx_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-hive_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-kvstore_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-launcher_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-mllib-local_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-mllib_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-network-common_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-network-shuffle_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-parent_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-protobuf_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-repl_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-sketch_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-sql-kafka-0-10_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-sql_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├──
spark-streaming-kafka-0-10-assembly_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-streaming-kafka-0-10_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-streaming_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├── spark-tags_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ │ ├──
spark-token-provider-kafka-0-10_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
│ ├── spark-unsafe_2.12-3.4.0-SNAPSHOT-cyclonedx.xml
```
Closes #39401 from dongjoon-hyun/SPARK-41893.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
---
pom.xml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/pom.xml b/pom.xml
index e2ae0631f80..53a757ef2e4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3427,6 +3427,19 @@
<version>4.2.0</version>
<extensions>true</extensions>
</plugin>
+ <plugin>
+ <groupId>org.cyclonedx</groupId>
+ <artifactId>cyclonedx-maven-plugin</artifactId>
+ <version>2.7.3</version>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals>
+ <goal>makeBom</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
