There is an action running every night. We could for example run it once a week.
The only way to enable the generation is through a profile. Sometimes I do myself, but in general it should be only the action. This kind of information should be tracked regularly, only at release time makes probably less sense. I fixed a bunch of deps based on some feedback i have from the sbom. We can use a time frame a bit more bigger, like once a week and avoid committing when checking locally. I don't think it would be a problem for bisecting. Only camel-sbom folder is affected from the updates... I can put once a week if it's better Il mer 25 gen 2023, 11:38 Otavio Rodolfo Piske <angusyo...@gmail.com> ha scritto: > Thanks Andrea, this looks really good. > > My only comment / concern is regarding how we are generating it. > > Would it be possible/feasible to generate this only as part of the release > process? Or, optionally, by manually invoking a plugin? One concern that I > have is that we are currently generating it whenever we update the > dependencies and then committing it. > > This generates a lot of bogus commits of which - IMHO - we already have too > much. This is becoming a problem to automate bisecting and back trace > problems (but that's a separate discussion). > > What do you think? > > Kind regards > > On Thu, Jan 19, 2023 at 12:46 PM Andrea Cosentino <anco...@gmail.com> > wrote: > > > Hello, > > > > Essentially is enough to run a maven install. > > > > mvn install -DskipTests -Psbom > > > > The aggregate sbom will be in target folder at root level. > > > > We could tune it and find a way to automatize this, for example through a > > gh action. > > > > > > > > Il giorno gio 19 gen 2023 alle ore 12:43 Claus Ibsen < > > claus.ib...@gmail.com> > > ha scritto: > > > > > Hi Andrea > > > > > > How do you generate the sbom file? What command do you run from the > root > > > folder of Camel source code? > > > And should we have this documented somewhere. > > > > > > On Thu, Jan 19, 2023 at 11:42 AM Andrea Cosentino <anco...@gmail.com> > > > wrote: > > > > > > > Hello, > > > > > > > > Moving to Camel 4.x I think it's time to have a look at SBOM > generation > > > and > > > > so on. > > > > > > > > I added a profile named sbom to the root POM. > > > > > > > > It will generate two files in the target folder camel-sbom.json and > > > > camel-sbom.xml. > > > > > > > > For the moment I choose to copy them in camel-sbom folder manually, > so > > we > > > > can do the generation time-based (like one a week or something like > > > that). > > > > > > > > This SBOM files could be used to check if we are healthy or not in > > terms > > > of > > > > dependency used. > > > > > > > > I think we should try to use this kind of information as standard, > > there > > > > are multiple tools we could use to leverage the SBOM generation. > > > > > > > > For any questions let's discuss here :-) > > > > > > > > Thanks. > > > > > > > > > > > > > -- > > > Claus Ibsen > > > ----------------- > > > @davsclaus > > > Camel in Action 2: https://www.manning.com/ibsen2 > > > > > > > > -- > Otavio R. Piske > http://orpiske.net >
