[jira] [Created] (GEODE-10481) Implement Software Bill of Materials (SBOM) Generation

Mon, 22 Sep 2025 12:08:27 -0700 

Jinwoo Hwang created GEODE-10481:
------------------------------------

             Summary: Implement Software Bill of Materials (SBOM) Generation
                 Key: GEODE-10481
                 URL: https://issues.apache.org/jira/browse/GEODE-10481
             Project: Geode
          Issue Type: New Feature
            Reporter: Jinwoo Hwang


h2. *Summary*

Implement automated Software Bill of Materials (SBOM) generation for Apache 
Geode to enhance supply chain security, improve dependency transparency, and 
meet modern compliance requirements for enterprise deployments.
h3. *Background*

Apache Geode currently lacks comprehensive dependency tracking and supply chain 
visibility, which creates challenges for:
 * Security vulnerability assessment across 8,629 Java files and 30+ modules
 * Enterprise compliance requirements (NIST, CISA guidelines)
 * Dependency license compliance verification
 * Supply chain risk management

h3. *Current State Analysis*
 * {*}Dependency Management{*}: Centralized in 
[DependencyConstraints.groovy|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
 with 70+ external libraries
 * {*}Build System{*}: Gradle 7.3.3 with modular architecture (geode-core, 
geode-gfsh, geode-lucene, etc.)
 * {*}Security Scanning{*}: Basic CodeQL in GitHub Actions, no dependency 
vulnerability scanning
 * {*}Compliance Tools{*}: Limited to basic license headers and Apache RAT

h3. *Business Justification*
 # {*}Security Compliance{*}: Meet NIST SSDF and CISA requirements for federal 
deployments
 # {*}Enterprise Adoption{*}: Fortune 500 companies increasingly require SBOM 
for procurement
 # {*}Supply Chain Security{*}: Enable rapid response to zero-day 
vulnerabilities (Log4Shell-like events)
 # {*}License Compliance{*}: Automated verification of 3rd party library 
licenses
 # {*}DevSecOps Integration{*}: Foundation for advanced security scanning and 
monitoring

----
h2. *🎯 Acceptance Criteria*
h3. *Primary Requirements*
 *  Generate SPDX 2.3 format SBOM for all release artifacts
 *  Include both direct and transitive dependencies with version information
 *  Capture license information for all components
 *  Generate SBOMs for multi-module builds (30+ Geode modules)
 *  Integrate with existing Gradle build pipeline
 *  Support both JSON and XML output formats

h3. *Technical Requirements*
 *  No increase in build time >5%
 *  Compatible with current Gradle 7.3.3 (prepare for Gradle 8+ migration)
 *  Generate separate SBOMs for different distribution artifacts:
 ** 
[apache-geode-\{version}.tgz|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
 (full distribution)
 ** 
[geode-core-\{version}.jar|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
 ** 
[geode-gfsh-\{version}.jar|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
 ** Docker images
 *  Include vulnerability database integration capabilities

h3. *Quality Gates*
 *  SBOM validation against SPDX specification
 *  All dependencies properly identified with CPE identifiers where applicable
 *  License compatibility verification
 *  Automated regression testing

----
h2. *🔧 Technical Implementation Plan*
h3. *Phase 1: Core SBOM Generation (Sprint 1-2)*
 
 
// Add to root build.gradle
plugins {
    id 'org.spdx.sbom' version '0.8.0'
}

sbom {
    targets {
        release {
            scopes = ['runtimeClasspath', 'compileClasspath']
            configurations = ['runtimeClasspath']
            outputDir = file("${buildDir}/sbom")
            outputName = "apache-geode-${version}"
        }
    }
}
 
 
h3. *Phase 2: Multi-Module Integration (Sprint 3)*
 * Configure SBOM generation for each Geode module
 * Aggregate module SBOMs into distribution-level SBOM
 * Handle inter-module dependencies correctly

h3. *Phase 3: CI/CD Integration (Sprint 4)*
 
 
# Add to .github/workflows/
- name: Generate SBOM
  run: ./gradlew generateSbom
  
- name: Validate SBOM
  uses: anchore/sbom-action@v0
  with:
    path: ./build/sbom/
    
- name: Upload SBOM Artifacts
  uses: actions/upload-artifact@v3
  with:
    name: sbom-files
    path: build/sbom/
 
 
h3. *Phase 4: Enhanced Security Integration (Sprint 5)*
 * Vulnerability scanning integration with generated SBOMs
 * License compliance verification
 * Supply chain risk assessment

----
h2. *📋 Subtasks*
h3. *🔧 Development Tasks*
 # {*}GEODE-XXXX-1{*}: Research and evaluate SBOM generation tools (Gradle 
plugins, Maven alternatives)
 # {*}GEODE-XXXX-2{*}: Implement basic SBOM generation for geode-core module
 # {*}GEODE-XXXX-3{*}: Extend SBOM generation to all 30+ Geode modules
 # {*}GEODE-XXXX-4{*}: Create aggregated distribution-level SBOM
 # {*}GEODE-XXXX-5{*}: Add Docker image SBOM generation
 # {*}GEODE-XXXX-6{*}: Integrate SBOM validation in build pipeline

h3. *🧪 Testing Tasks*
 # {*}GEODE-XXXX-7{*}: Create SBOM validation test suite
 # {*}GEODE-XXXX-8{*}: Verify SBOM accuracy against known dependency tree
 # {*}GEODE-XXXX-9{*}: Performance impact assessment on build times
 # {*}GEODE-XXXX-10{*}: Cross-platform build verification (Linux, macOS, 
Windows)

h3. *📚 Documentation Tasks*
 # {*}GEODE-XXXX-11{*}: Update build documentation with SBOM generation 
instructions
 # {*}GEODE-XXXX-12{*}: Create SBOM consumption guide for downstream users
 # {*}GEODE-XXXX-13{*}: Document license compliance verification process

----
h2. *📊 Success Metrics*
h3. *Functional Metrics*
 * ✅ 100% dependency coverage in generated SBOMs
 * ✅ SPDX 2.3 specification compliance validation passes
 * ✅ Zero false positives in license identification
 * ✅ Build time increase <5%

h3. *Security Metrics*
 * ✅ Enable vulnerability scanning for 100% of dependencies
 * ✅ Automated license compliance verification
 * ✅ Supply chain provenance tracking for critical components

h3. *Adoption Metrics*
 * ✅ SBOM artifacts included in all release distributions
 * ✅ Documentation completeness for enterprise consumers
 * ✅ Integration with existing Apache release process

----
h2. *⚠️ Risks & Mitigation*
||Risk||Impact||Probability||Mitigation||
|Build Performance Impact|Medium|Low|Incremental implementation, performance 
benchmarking|
|SPDX Compliance Issues|High|Medium|Use mature, well-tested SBOM generation 
tools|
|License Detection Accuracy|High|Medium|Manual verification of critical 
dependencies|
|CI/CD Pipeline Complexity|Medium|Medium|Phased rollout, comprehensive testing|
----
h2. *🔗 Dependencies*
h3. *Blocked By*
 * Current Java 17 migration completion (GEODE-10465)
 * Gradle build system stability

h3. *Blocks*
 * Advanced security scanning implementation
 * Enterprise compliance certification
 * Supply chain risk management initiatives

----
h2. *📅 Timeline*

{*}Total Estimated Effort{*}: 5-6 sprints (10-12 weeks)
 * {*}Sprint 1-2{*}: Core SBOM generation (4 weeks)
 * {*}Sprint 3{*}: Multi-module integration (2 weeks)
 * {*}Sprint 4{*}: CI/CD integration (2 weeks)
 * {*}Sprint 5{*}: Enhanced security features (2 weeks)
 * {*}Sprint 6{*}: Documentation and testing (2 weeks)

{*}Target Release{*}: Apache Geode 2.0.0
----
h2. *🎬 Definition of Done*
 *  SBOM generation integrated into all build artifacts
 *  SPDX 2.3 compliance verified via automated validation
 *  CI/CD pipeline includes SBOM generation and validation
 *  Documentation updated with SBOM usage instructions
 *  Performance benchmarks show <5% build time impact
 *  Security team approval for vulnerability scanning integration
 *  Apache release process updated to include SBOM artifacts
 *  Community notification and adoption guidance provided

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to