[jira] [Comment Edited] (AVRO-3700) Publish Java SBOM artifacts with CycloneDX

Thu, 16 Feb 2023 00:35:04 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17689613#comment-17689613
 ] 

Martin Tzvetanov Grigorov edited comment on AVRO-3700 at 2/16/23 8:34 AM:
--------------------------------------------------------------------------

The CycloneDX started causing problems with the "Maven reproducible build" 
checks: [https://github.com/apache/avro/actions/runs/4192022965/jobs/7267089974]

I haven't investigated what exactly introduced the problem but all new Java 
related [PRs|https://github.com/apache/avro/pulls now fail with the above 
problem.


was (Author: mgrigorov):
The CycloneDX started causing problems with the "Maven reproducible build" 
checks: [https://github.com/apache/avro/actions/runs/4192022965/jobs/7267089974]

I haven't investigated what exactly introduced the problem but all new Java 
related PRs now fail with the above problem.

> Publish Java SBOM artifacts with CycloneDX
> ------------------------------------------
>
>                 Key: AVRO-3700
>                 URL: https://issues.apache.org/jira/browse/AVRO-3700
>             Project: Apache Avro
>          Issue Type: Sub-task
>          Components: build
>    Affects Versions: 1.12.0
>            Reporter: Dongjoon Hyun
>            Assignee: Dongjoon Hyun
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.12.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> h3. Why are the changes needed?
> Here is an article to give some context.
>  - 
> [https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/]
> Software Bill of Materials (SBOM) are additional artifacts containing the 
> aggregate of all direct and transitive dependencies of a project. The US 
> Government (based on NIST recommendations) currently accepts only the three 
> most popular SBOM standards as valid, namely: 
> [CycloneDX]([https://cyclonedx.org/]), [Software Identification (SWID) 
> tag]([https://csrc.nist.gov/projects/Software-Identification-SWID]), 
> [Software Package Data Exchange® (SPDX)]([https://spdx.dev/]).
> This PR uses [CycloneDX maven 
> plugin]([https://github.com/CycloneDX/cyclonedx-maven-plugin]), a lightweight 
> software bill of materials (SBOM) standard designed for use in application 
> security contexts and supply chain component analysis.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to