[
https://issues.apache.org/jira/browse/GEODE-10481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18023466#comment-18023466
]
ASF subversion and git services commented on GEODE-10481:
---------------------------------------------------------
Commit 2699a031daa2d9182126c88edb4c58fa30071777 in geode's branch
refs/heads/feature/GEODE-10481-Phase1-PR1 from Sai Boorlagadda
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=2699a031da ]
GEODE-10481: Proposal & Todo (#7937)
> Implement Software Bill of Materials (SBOM) Generation
> ------------------------------------------------------
>
> Key: GEODE-10481
> URL: https://issues.apache.org/jira/browse/GEODE-10481
> Project: Geode
> Issue Type: New Feature
> Reporter: Jinwoo Hwang
> Assignee: Sai Boorlagadda
> Priority: Major
>
> h2. *Summary*
> Implement automated Software Bill of Materials (SBOM) generation for Apache
> Geode to enhance supply chain security, improve dependency transparency, and
> meet modern compliance requirements for enterprise deployments.
> h3. *Background*
> Apache Geode currently lacks comprehensive dependency tracking and supply
> chain visibility, which creates challenges for:
> * Security vulnerability assessment across 8,629 Java files and 30+ modules
> * Enterprise compliance requirements (NIST, CISA guidelines)
> * Dependency license compliance verification
> * Supply chain risk management
> h3. *Current State Analysis*
> * {*}Dependency Management{*}: Centralized in DependencyConstraints.groovy
> with 70+ external libraries
> * {*}Build System{*}: Gradle 7.3.3 with modular architecture (geode-core,
> geode-gfsh, geode-lucene, etc.)
> * {*}Security Scanning{*}: Basic CodeQL in GitHub Actions, no dependency
> vulnerability scanning
> * {*}Compliance Tools{*}: Limited to basic license headers and Apache RAT
> h3. *Business Justification*
> # {*}Security Compliance{*}: Meet NIST SSDF and CISA requirements for
> federal deployments
> # {*}Enterprise Adoption{*}: Fortune 500 companies increasingly require SBOM
> for procurement
> # {*}Supply Chain Security{*}: Enable rapid response to zero-day
> vulnerabilities (Log4Shell-like events)
> # {*}License Compliance{*}: Automated verification of 3rd party library
> licenses
> # {*}DevSecOps Integration{*}: Foundation for advanced security scanning and
> monitoring
> ----
> h2. *🎯 Acceptance Criteria*
> h3. *Primary Requirements*
> * Generate SPDX 2.3 format SBOM for all release artifacts
> * Include both direct and transitive dependencies with version information
> * Capture license information for all components
> * Generate SBOMs for multi-module builds (30+ Geode modules)
> * Integrate with existing Gradle build pipeline
> * Support both JSON and XML output formats
> h3. *Technical Requirements*
> * No increase in build time >5%
> * Compatible with current Gradle 7.3.3 (prepare for Gradle 8+ migration)
> * Generate separate SBOMs for different distribution artifacts:
> ** apache-geode-\\{version}.tgz (full distribution)
> ** geode-core-\\{version}.jar
> ** geode-gfsh-\\{version}.jar
> ** Docker images
> * Include vulnerability database integration capabilities
> h3. *Quality Gates*
> * SBOM validation against SPDX specification
> * All dependencies properly identified with CPE identifiers where applicable
> * License compatibility verification
> * Automated regression testing
> ----
> h2. *🔧 Technical Implementation Plan*
> h3. *Phase 1: Core SBOM Generation (Sprint 1-2)*
>
>
> // Add to root build.gradle
> plugins
> { id 'org.spdx.sbom' version '0.8.0' }
> sbom {
> targets {
> release {
> scopes = ['runtimeClasspath', 'compileClasspath']
> configurations = ['runtimeClasspath']
> outputDir = file("${buildDir}/sbom")
> outputName = "apache-geode-${version}"
> }
> }
> }
>
>
> h3. *Phase 2: Multi-Module Integration (Sprint 3)*
> * Configure SBOM generation for each Geode module
> * Aggregate module SBOMs into distribution-level SBOM
> * Handle inter-module dependencies correctly
> h3. *Phase 3: CI/CD Integration (Sprint 4)*
>
>
> # Add to .github/workflows/
> - name: Generate SBOM
> run: ./gradlew generateSbom
>
> - name: Validate SBOM
> uses: anchore/sbom-action@v0
> with:
> path: ./build/sbom/
>
> - name: Upload SBOM Artifacts
> uses: actions/upload-artifact@v3
> with:
> name: sbom-files
> path: build/sbom/
>
>
> h3. *Phase 4: Enhanced Security Integration (Sprint 5)*
> * Vulnerability scanning integration with generated SBOMs
> * License compliance verification
> * Supply chain risk assessment
> ----
> h2. *📋 Subtasks*
> h3. *🔧 Development Tasks*
> # {*}GEODE-XXXX-1{*}: Research and evaluate SBOM generation tools (Gradle
> plugins, Maven alternatives)
> # {*}GEODE-XXXX-2{*}: Implement basic SBOM generation for geode-core module
> # {*}GEODE-XXXX-3{*}: Extend SBOM generation to all 30+ Geode modules
> # {*}GEODE-XXXX-4{*}: Create aggregated distribution-level SBOM
> # {*}GEODE-XXXX-5{*}: Add Docker image SBOM generation
> # {*}GEODE-XXXX-6{*}: Integrate SBOM validation in build pipeline
> h3. *🧪 Testing Tasks*
> # {*}GEODE-XXXX-7{*}: Create SBOM validation test suite
> # {*}GEODE-XXXX-8{*}: Verify SBOM accuracy against known dependency tree
> # {*}GEODE-XXXX-9{*}: Performance impact assessment on build times
> # {*}GEODE-XXXX-10{*}: Cross-platform build verification (Linux, macOS,
> Windows)
> h3. *📚 Documentation Tasks*
> # {*}GEODE-XXXX-11{*}: Update build documentation with SBOM generation
> instructions
> # {*}GEODE-XXXX-12{*}: Create SBOM consumption guide for downstream users
> # {*}GEODE-XXXX-13{*}: Document license compliance verification process
> ----
> h2. *📊 Success Metrics*
> h3. *Functional Metrics*
> * ✅ 100% dependency coverage in generated SBOMs
> * ✅ SPDX 2.3 specification compliance validation passes
> * ✅ Zero false positives in license identification
> * ✅ Build time increase <5%
> h3. *Security Metrics*
> * ✅ Enable vulnerability scanning for 100% of dependencies
> * ✅ Automated license compliance verification
> * ✅ Supply chain provenance tracking for critical components
> h3. *Adoption Metrics*
> * ✅ SBOM artifacts included in all release distributions
> * ✅ Documentation completeness for enterprise consumers
> * ✅ Integration with existing Apache release process
> ----
> h2. *⚠️ Risks & Mitigation*
> ||Risk||Impact||Probability||Mitigation||
> |Build Performance Impact|Medium|Low|Incremental implementation, performance
> benchmarking|
> |SPDX Compliance Issues|High|Medium|Use mature, well-tested SBOM generation
> tools|
> |License Detection Accuracy|High|Medium|Manual verification of critical
> dependencies|
> |CI/CD Pipeline Complexity|Medium|Medium|Phased rollout, comprehensive
> testing|
> ----
> h2. *🔗 Dependencies*
> h3. *Blocked By*
> * Current Java 17 migration completion (GEODE-10465)
> * Gradle build system stability
> h3. *Blocks*
> * Advanced security scanning implementation
> * Enterprise compliance certification
> * Supply chain risk management initiatives
> ----
> h2. *📅 Timeline*
> {*}Total Estimated Effort{*}: 5-6 sprints (10-12 weeks)
> * {*}Sprint 1-2{*}: Core SBOM generation (4 weeks)
> * {*}Sprint 3{*}: Multi-module integration (2 weeks)
> * {*}Sprint 4{*}: CI/CD integration (2 weeks)
> * {*}Sprint 5{*}: Enhanced security features (2 weeks)
> * {*}Sprint 6{*}: Documentation and testing (2 weeks)
> {*}Target Release{*}: Apache Geode 2.0.0
> ----
> h2. *🎬 Definition of Done*
> * SBOM generation integrated into all build artifacts
> * SPDX 2.3 compliance verified via automated validation
> * CI/CD pipeline includes SBOM generation and validation
> * Documentation updated with SBOM usage instructions
> * Performance benchmarks show <5% build time impact
> * Security team approval for vulnerability scanning integration
> * Apache release process updated to include SBOM artifacts
> * Community notification and adoption guidance provided
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
