[
https://issues.apache.org/jira/browse/GEODE-10481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10481:
---------------------------------
Description:
h2. *Summary*
Implement automated Software Bill of Materials (SBOM) generation for Apache
Geode to enhance supply chain security, improve dependency transparency, and
meet modern compliance requirements for enterprise deployments.
h3. *Background*
Apache Geode currently lacks comprehensive dependency tracking and supply chain
visibility, which creates challenges for:
* Security vulnerability assessment across 8,629 Java files and 30+ modules
* Enterprise compliance requirements (NIST, CISA guidelines)
* Dependency license compliance verification
* Supply chain risk management
h3. *Current State Analysis*
* {*}Dependency Management{*}: Centralized in DependencyConstraints.groovy
with 70+ external libraries
* {*}Build System{*}: Gradle 7.3.3 with modular architecture (geode-core,
geode-gfsh, geode-lucene, etc.)
* {*}Security Scanning{*}: Basic CodeQL in GitHub Actions, no dependency
vulnerability scanning
* {*}Compliance Tools{*}: Limited to basic license headers and Apache RAT
h3. *Business Justification*
# {*}Security Compliance{*}: Meet NIST SSDF and CISA requirements for federal
deployments
# {*}Enterprise Adoption{*}: Fortune 500 companies increasingly require SBOM
for procurement
# {*}Supply Chain Security{*}: Enable rapid response to zero-day
vulnerabilities (Log4Shell-like events)
# {*}License Compliance{*}: Automated verification of 3rd party library
licenses
# {*}DevSecOps Integration{*}: Foundation for advanced security scanning and
monitoring
----
h2. *🎯 Acceptance Criteria*
h3. *Primary Requirements*
* Generate SPDX 2.3 format SBOM for all release artifacts
* Include both direct and transitive dependencies with version information
* Capture license information for all components
* Generate SBOMs for multi-module builds (30+ Geode modules)
* Integrate with existing Gradle build pipeline
* Support both JSON and XML output formats
h3. *Technical Requirements*
* No increase in build time >5%
* Compatible with current Gradle 7.3.3 (prepare for Gradle 8+ migration)
* Generate separate SBOMs for different distribution artifacts:
** apache-geode-\\{version}.tgz (full distribution)
** geode-core-\\{version}.jar
** geode-gfsh-\\{version}.jar
** Docker images
* Include vulnerability database integration capabilities
h3. *Quality Gates*
* SBOM validation against SPDX specification
* All dependencies properly identified with CPE identifiers where applicable
* License compatibility verification
* Automated regression testing
----
h2. *🔧 Technical Implementation Plan*
h3. *Phase 1: Core SBOM Generation (Sprint 1-2)*
// Add to root build.gradle
plugins
{ id 'org.spdx.sbom' version '0.8.0' }
sbom {
targets {
release {
scopes = ['runtimeClasspath', 'compileClasspath']
configurations = ['runtimeClasspath']
outputDir = file("${buildDir}/sbom")
outputName = "apache-geode-${version}"
}
}
}
h3. *Phase 2: Multi-Module Integration (Sprint 3)*
* Configure SBOM generation for each Geode module
* Aggregate module SBOMs into distribution-level SBOM
* Handle inter-module dependencies correctly
h3. *Phase 3: CI/CD Integration (Sprint 4)*
# Add to .github/workflows/
- name: Generate SBOM
run: ./gradlew generateSbom
- name: Validate SBOM
uses: anchore/sbom-action@v0
with:
path: ./build/sbom/
- name: Upload SBOM Artifacts
uses: actions/upload-artifact@v3
with:
name: sbom-files
path: build/sbom/
h3. *Phase 4: Enhanced Security Integration (Sprint 5)*
* Vulnerability scanning integration with generated SBOMs
* License compliance verification
* Supply chain risk assessment
----
h2. *📋 Subtasks*
h3. *🔧 Development Tasks*
# {*}GEODE-XXXX-1{*}: Research and evaluate SBOM generation tools (Gradle
plugins, Maven alternatives)
# {*}GEODE-XXXX-2{*}: Implement basic SBOM generation for geode-core module
# {*}GEODE-XXXX-3{*}: Extend SBOM generation to all 30+ Geode modules
# {*}GEODE-XXXX-4{*}: Create aggregated distribution-level SBOM
# {*}GEODE-XXXX-5{*}: Add Docker image SBOM generation
# {*}GEODE-XXXX-6{*}: Integrate SBOM validation in build pipeline
h3. *🧪 Testing Tasks*
# {*}GEODE-XXXX-7{*}: Create SBOM validation test suite
# {*}GEODE-XXXX-8{*}: Verify SBOM accuracy against known dependency tree
# {*}GEODE-XXXX-9{*}: Performance impact assessment on build times
# {*}GEODE-XXXX-10{*}: Cross-platform build verification (Linux, macOS,
Windows)
h3. *📚 Documentation Tasks*
# {*}GEODE-XXXX-11{*}: Update build documentation with SBOM generation
instructions
# {*}GEODE-XXXX-12{*}: Create SBOM consumption guide for downstream users
# {*}GEODE-XXXX-13{*}: Document license compliance verification process
----
h2. *📊 Success Metrics*
h3. *Functional Metrics*
* ✅ 100% dependency coverage in generated SBOMs
* ✅ SPDX 2.3 specification compliance validation passes
* ✅ Zero false positives in license identification
* ✅ Build time increase <5%
h3. *Security Metrics*
* ✅ Enable vulnerability scanning for 100% of dependencies
* ✅ Automated license compliance verification
* ✅ Supply chain provenance tracking for critical components
h3. *Adoption Metrics*
* ✅ SBOM artifacts included in all release distributions
* ✅ Documentation completeness for enterprise consumers
* ✅ Integration with existing Apache release process
----
h2. *⚠️ Risks & Mitigation*
||Risk||Impact||Probability||Mitigation||
|Build Performance Impact|Medium|Low|Incremental implementation, performance
benchmarking|
|SPDX Compliance Issues|High|Medium|Use mature, well-tested SBOM generation
tools|
|License Detection Accuracy|High|Medium|Manual verification of critical
dependencies|
|CI/CD Pipeline Complexity|Medium|Medium|Phased rollout, comprehensive testing|
----
h2. *🔗 Dependencies*
h3. *Blocked By*
* Current Java 17 migration completion (GEODE-10465)
* Gradle build system stability
h3. *Blocks*
* Advanced security scanning implementation
* Enterprise compliance certification
* Supply chain risk management initiatives
----
h2. *📅 Timeline*
{*}Total Estimated Effort{*}: 5-6 sprints (10-12 weeks)
* {*}Sprint 1-2{*}: Core SBOM generation (4 weeks)
* {*}Sprint 3{*}: Multi-module integration (2 weeks)
* {*}Sprint 4{*}: CI/CD integration (2 weeks)
* {*}Sprint 5{*}: Enhanced security features (2 weeks)
* {*}Sprint 6{*}: Documentation and testing (2 weeks)
{*}Target Release{*}: Apache Geode 2.0.0
----
h2. *🎬 Definition of Done*
* SBOM generation integrated into all build artifacts
* SPDX 2.3 compliance verified via automated validation
* CI/CD pipeline includes SBOM generation and validation
* Documentation updated with SBOM usage instructions
* Performance benchmarks show <5% build time impact
* Security team approval for vulnerability scanning integration
* Apache release process updated to include SBOM artifacts
* Community notification and adoption guidance provided
was:
h2. *Summary*
Implement automated Software Bill of Materials (SBOM) generation for Apache
Geode to enhance supply chain security, improve dependency transparency, and
meet modern compliance requirements for enterprise deployments.
h3. *Background*
Apache Geode currently lacks comprehensive dependency tracking and supply chain
visibility, which creates challenges for:
* Security vulnerability assessment across 8,629 Java files and 30+ modules
* Enterprise compliance requirements (NIST, CISA guidelines)
* Dependency license compliance verification
* Supply chain risk management
h3. *Current State Analysis*
* {*}Dependency Management{*}: Centralized in
[DependencyConstraints.groovy|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
with 70+ external libraries
* {*}Build System{*}: Gradle 7.3.3 with modular architecture (geode-core,
geode-gfsh, geode-lucene, etc.)
* {*}Security Scanning{*}: Basic CodeQL in GitHub Actions, no dependency
vulnerability scanning
* {*}Compliance Tools{*}: Limited to basic license headers and Apache RAT
h3. *Business Justification*
# {*}Security Compliance{*}: Meet NIST SSDF and CISA requirements for federal
deployments
# {*}Enterprise Adoption{*}: Fortune 500 companies increasingly require SBOM
for procurement
# {*}Supply Chain Security{*}: Enable rapid response to zero-day
vulnerabilities (Log4Shell-like events)
# {*}License Compliance{*}: Automated verification of 3rd party library
licenses
# {*}DevSecOps Integration{*}: Foundation for advanced security scanning and
monitoring
----
h2. *🎯 Acceptance Criteria*
h3. *Primary Requirements*
* Generate SPDX 2.3 format SBOM for all release artifacts
* Include both direct and transitive dependencies with version information
* Capture license information for all components
* Generate SBOMs for multi-module builds (30+ Geode modules)
* Integrate with existing Gradle build pipeline
* Support both JSON and XML output formats
h3. *Technical Requirements*
* No increase in build time >5%
* Compatible with current Gradle 7.3.3 (prepare for Gradle 8+ migration)
* Generate separate SBOMs for different distribution artifacts:
**
[apache-geode-\{version}.tgz|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
(full distribution)
**
[geode-core-\{version}.jar|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
**
[geode-gfsh-\{version}.jar|vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html]
** Docker images
* Include vulnerability database integration capabilities
h3. *Quality Gates*
* SBOM validation against SPDX specification
* All dependencies properly identified with CPE identifiers where applicable
* License compatibility verification
* Automated regression testing
----
h2. *🔧 Technical Implementation Plan*
h3. *Phase 1: Core SBOM Generation (Sprint 1-2)*
// Add to root build.gradle
plugins {
id 'org.spdx.sbom' version '0.8.0'
}
sbom {
targets {
release {
scopes = ['runtimeClasspath', 'compileClasspath']
configurations = ['runtimeClasspath']
outputDir = file("${buildDir}/sbom")
outputName = "apache-geode-${version}"
}
}
}
h3. *Phase 2: Multi-Module Integration (Sprint 3)*
* Configure SBOM generation for each Geode module
* Aggregate module SBOMs into distribution-level SBOM
* Handle inter-module dependencies correctly
h3. *Phase 3: CI/CD Integration (Sprint 4)*
# Add to .github/workflows/
- name: Generate SBOM
run: ./gradlew generateSbom
- name: Validate SBOM
uses: anchore/sbom-action@v0
with:
path: ./build/sbom/
- name: Upload SBOM Artifacts
uses: actions/upload-artifact@v3
with:
name: sbom-files
path: build/sbom/
h3. *Phase 4: Enhanced Security Integration (Sprint 5)*
* Vulnerability scanning integration with generated SBOMs
* License compliance verification
* Supply chain risk assessment
----
h2. *📋 Subtasks*
h3. *🔧 Development Tasks*
# {*}GEODE-XXXX-1{*}: Research and evaluate SBOM generation tools (Gradle
plugins, Maven alternatives)
# {*}GEODE-XXXX-2{*}: Implement basic SBOM generation for geode-core module
# {*}GEODE-XXXX-3{*}: Extend SBOM generation to all 30+ Geode modules
# {*}GEODE-XXXX-4{*}: Create aggregated distribution-level SBOM
# {*}GEODE-XXXX-5{*}: Add Docker image SBOM generation
# {*}GEODE-XXXX-6{*}: Integrate SBOM validation in build pipeline
h3. *🧪 Testing Tasks*
# {*}GEODE-XXXX-7{*}: Create SBOM validation test suite
# {*}GEODE-XXXX-8{*}: Verify SBOM accuracy against known dependency tree
# {*}GEODE-XXXX-9{*}: Performance impact assessment on build times
# {*}GEODE-XXXX-10{*}: Cross-platform build verification (Linux, macOS,
Windows)
h3. *📚 Documentation Tasks*
# {*}GEODE-XXXX-11{*}: Update build documentation with SBOM generation
instructions
# {*}GEODE-XXXX-12{*}: Create SBOM consumption guide for downstream users
# {*}GEODE-XXXX-13{*}: Document license compliance verification process
----
h2. *📊 Success Metrics*
h3. *Functional Metrics*
* ✅ 100% dependency coverage in generated SBOMs
* ✅ SPDX 2.3 specification compliance validation passes
* ✅ Zero false positives in license identification
* ✅ Build time increase <5%
h3. *Security Metrics*
* ✅ Enable vulnerability scanning for 100% of dependencies
* ✅ Automated license compliance verification
* ✅ Supply chain provenance tracking for critical components
h3. *Adoption Metrics*
* ✅ SBOM artifacts included in all release distributions
* ✅ Documentation completeness for enterprise consumers
* ✅ Integration with existing Apache release process
----
h2. *⚠️ Risks & Mitigation*
||Risk||Impact||Probability||Mitigation||
|Build Performance Impact|Medium|Low|Incremental implementation, performance
benchmarking|
|SPDX Compliance Issues|High|Medium|Use mature, well-tested SBOM generation
tools|
|License Detection Accuracy|High|Medium|Manual verification of critical
dependencies|
|CI/CD Pipeline Complexity|Medium|Medium|Phased rollout, comprehensive testing|
----
h2. *🔗 Dependencies*
h3. *Blocked By*
* Current Java 17 migration completion (GEODE-10465)
* Gradle build system stability
h3. *Blocks*
* Advanced security scanning implementation
* Enterprise compliance certification
* Supply chain risk management initiatives
----
h2. *📅 Timeline*
{*}Total Estimated Effort{*}: 5-6 sprints (10-12 weeks)
* {*}Sprint 1-2{*}: Core SBOM generation (4 weeks)
* {*}Sprint 3{*}: Multi-module integration (2 weeks)
* {*}Sprint 4{*}: CI/CD integration (2 weeks)
* {*}Sprint 5{*}: Enhanced security features (2 weeks)
* {*}Sprint 6{*}: Documentation and testing (2 weeks)
{*}Target Release{*}: Apache Geode 2.0.0
----
h2. *🎬 Definition of Done*
* SBOM generation integrated into all build artifacts
* SPDX 2.3 compliance verified via automated validation
* CI/CD pipeline includes SBOM generation and validation
* Documentation updated with SBOM usage instructions
* Performance benchmarks show <5% build time impact
* Security team approval for vulnerability scanning integration
* Apache release process updated to include SBOM artifacts
* Community notification and adoption guidance provided
> Implement Software Bill of Materials (SBOM) Generation
> ------------------------------------------------------
>
> Key: GEODE-10481
> URL: https://issues.apache.org/jira/browse/GEODE-10481
> Project: Geode
> Issue Type: New Feature
> Reporter: Jinwoo Hwang
> Priority: Major
>
> h2. *Summary*
> Implement automated Software Bill of Materials (SBOM) generation for Apache
> Geode to enhance supply chain security, improve dependency transparency, and
> meet modern compliance requirements for enterprise deployments.
> h3. *Background*
> Apache Geode currently lacks comprehensive dependency tracking and supply
> chain visibility, which creates challenges for:
> * Security vulnerability assessment across 8,629 Java files and 30+ modules
> * Enterprise compliance requirements (NIST, CISA guidelines)
> * Dependency license compliance verification
> * Supply chain risk management
> h3. *Current State Analysis*
> * {*}Dependency Management{*}: Centralized in DependencyConstraints.groovy
> with 70+ external libraries
> * {*}Build System{*}: Gradle 7.3.3 with modular architecture (geode-core,
> geode-gfsh, geode-lucene, etc.)
> * {*}Security Scanning{*}: Basic CodeQL in GitHub Actions, no dependency
> vulnerability scanning
> * {*}Compliance Tools{*}: Limited to basic license headers and Apache RAT
> h3. *Business Justification*
> # {*}Security Compliance{*}: Meet NIST SSDF and CISA requirements for
> federal deployments
> # {*}Enterprise Adoption{*}: Fortune 500 companies increasingly require SBOM
> for procurement
> # {*}Supply Chain Security{*}: Enable rapid response to zero-day
> vulnerabilities (Log4Shell-like events)
> # {*}License Compliance{*}: Automated verification of 3rd party library
> licenses
> # {*}DevSecOps Integration{*}: Foundation for advanced security scanning and
> monitoring
> ----
> h2. *🎯 Acceptance Criteria*
> h3. *Primary Requirements*
> * Generate SPDX 2.3 format SBOM for all release artifacts
> * Include both direct and transitive dependencies with version information
> * Capture license information for all components
> * Generate SBOMs for multi-module builds (30+ Geode modules)
> * Integrate with existing Gradle build pipeline
> * Support both JSON and XML output formats
> h3. *Technical Requirements*
> * No increase in build time >5%
> * Compatible with current Gradle 7.3.3 (prepare for Gradle 8+ migration)
> * Generate separate SBOMs for different distribution artifacts:
> ** apache-geode-\\{version}.tgz (full distribution)
> ** geode-core-\\{version}.jar
> ** geode-gfsh-\\{version}.jar
> ** Docker images
> * Include vulnerability database integration capabilities
> h3. *Quality Gates*
> * SBOM validation against SPDX specification
> * All dependencies properly identified with CPE identifiers where applicable
> * License compatibility verification
> * Automated regression testing
> ----
> h2. *🔧 Technical Implementation Plan*
> h3. *Phase 1: Core SBOM Generation (Sprint 1-2)*
>
>
> // Add to root build.gradle
> plugins
> { id 'org.spdx.sbom' version '0.8.0' }
> sbom {
> targets {
> release {
> scopes = ['runtimeClasspath', 'compileClasspath']
> configurations = ['runtimeClasspath']
> outputDir = file("${buildDir}/sbom")
> outputName = "apache-geode-${version}"
> }
> }
> }
>
>
> h3. *Phase 2: Multi-Module Integration (Sprint 3)*
> * Configure SBOM generation for each Geode module
> * Aggregate module SBOMs into distribution-level SBOM
> * Handle inter-module dependencies correctly
> h3. *Phase 3: CI/CD Integration (Sprint 4)*
>
>
> # Add to .github/workflows/
> - name: Generate SBOM
> run: ./gradlew generateSbom
>
> - name: Validate SBOM
> uses: anchore/sbom-action@v0
> with:
> path: ./build/sbom/
>
> - name: Upload SBOM Artifacts
> uses: actions/upload-artifact@v3
> with:
> name: sbom-files
> path: build/sbom/
>
>
> h3. *Phase 4: Enhanced Security Integration (Sprint 5)*
> * Vulnerability scanning integration with generated SBOMs
> * License compliance verification
> * Supply chain risk assessment
> ----
> h2. *📋 Subtasks*
> h3. *🔧 Development Tasks*
> # {*}GEODE-XXXX-1{*}: Research and evaluate SBOM generation tools (Gradle
> plugins, Maven alternatives)
> # {*}GEODE-XXXX-2{*}: Implement basic SBOM generation for geode-core module
> # {*}GEODE-XXXX-3{*}: Extend SBOM generation to all 30+ Geode modules
> # {*}GEODE-XXXX-4{*}: Create aggregated distribution-level SBOM
> # {*}GEODE-XXXX-5{*}: Add Docker image SBOM generation
> # {*}GEODE-XXXX-6{*}: Integrate SBOM validation in build pipeline
> h3. *🧪 Testing Tasks*
> # {*}GEODE-XXXX-7{*}: Create SBOM validation test suite
> # {*}GEODE-XXXX-8{*}: Verify SBOM accuracy against known dependency tree
> # {*}GEODE-XXXX-9{*}: Performance impact assessment on build times
> # {*}GEODE-XXXX-10{*}: Cross-platform build verification (Linux, macOS,
> Windows)
> h3. *📚 Documentation Tasks*
> # {*}GEODE-XXXX-11{*}: Update build documentation with SBOM generation
> instructions
> # {*}GEODE-XXXX-12{*}: Create SBOM consumption guide for downstream users
> # {*}GEODE-XXXX-13{*}: Document license compliance verification process
> ----
> h2. *📊 Success Metrics*
> h3. *Functional Metrics*
> * ✅ 100% dependency coverage in generated SBOMs
> * ✅ SPDX 2.3 specification compliance validation passes
> * ✅ Zero false positives in license identification
> * ✅ Build time increase <5%
> h3. *Security Metrics*
> * ✅ Enable vulnerability scanning for 100% of dependencies
> * ✅ Automated license compliance verification
> * ✅ Supply chain provenance tracking for critical components
> h3. *Adoption Metrics*
> * ✅ SBOM artifacts included in all release distributions
> * ✅ Documentation completeness for enterprise consumers
> * ✅ Integration with existing Apache release process
> ----
> h2. *⚠️ Risks & Mitigation*
> ||Risk||Impact||Probability||Mitigation||
> |Build Performance Impact|Medium|Low|Incremental implementation, performance
> benchmarking|
> |SPDX Compliance Issues|High|Medium|Use mature, well-tested SBOM generation
> tools|
> |License Detection Accuracy|High|Medium|Manual verification of critical
> dependencies|
> |CI/CD Pipeline Complexity|Medium|Medium|Phased rollout, comprehensive
> testing|
> ----
> h2. *🔗 Dependencies*
> h3. *Blocked By*
> * Current Java 17 migration completion (GEODE-10465)
> * Gradle build system stability
> h3. *Blocks*
> * Advanced security scanning implementation
> * Enterprise compliance certification
> * Supply chain risk management initiatives
> ----
> h2. *📅 Timeline*
> {*}Total Estimated Effort{*}: 5-6 sprints (10-12 weeks)
> * {*}Sprint 1-2{*}: Core SBOM generation (4 weeks)
> * {*}Sprint 3{*}: Multi-module integration (2 weeks)
> * {*}Sprint 4{*}: CI/CD integration (2 weeks)
> * {*}Sprint 5{*}: Enhanced security features (2 weeks)
> * {*}Sprint 6{*}: Documentation and testing (2 weeks)
> {*}Target Release{*}: Apache Geode 2.0.0
> ----
> h2. *🎬 Definition of Done*
> * SBOM generation integrated into all build artifacts
> * SPDX 2.3 compliance verified via automated validation
> * CI/CD pipeline includes SBOM generation and validation
> * Documentation updated with SBOM usage instructions
> * Performance benchmarks show <5% build time impact
> * Security team approval for vulnerability scanning integration
> * Apache release process updated to include SBOM artifacts
> * Community notification and adoption guidance provided
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
