David Handermann created NIFI-14137:
---------------------------------------
Summary: Add SBOM and Dependency Scanning GitHub Workflow
Key: NIFI-14137
URL: https://issues.apache.org/jira/browse/NIFI-14137
Project: Apache NiFi
Issue Type: Improvement
Components: Tools and Build
Reporter: David Handermann
Assignee: David Handermann
The automated GitHub Actions workflows should be updated to include new steps
that generate a Software Bill-of-Materials and dependency scanning results for
the NiFi assembly.
Earlier versions of workflows included running the OWASP dependency check, but
changes to the database download process increased the time required to run the
scan.
The Anchore Syft and Grype tools are open source and licensed under Apache
Software License Version 2, providing GitHub Action integration through the
[sbom-action|https://github.com/anchore/sbom-action] and the
[scan-action|https://github.com/anchore/scan-action]. These tools support not
only container images, but standard Zip archives and introspection, capable of
enumerating packaged JAR files. Initial testing shows results produced in
minutes, making them ideal for automated evaluation. Although the SBOM produced
should not considered official, it should provide additional options for
visibility into the packaged dependencies include in the standard NiFi assembly.
Based on how this works, SBOM generation could be considered for additional
build artifacts in subsequent work.
This scanning augments existing code quality and compliance capabilities that
already include Checkstyle, PMD, Apache Rat, and GitHub CodeQL.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
