[
https://issues.apache.org/jira/browse/NIFI-14137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-14137:
------------------------------------
Status: Patch Available (was: In Progress)
> Add SBOM and Dependency Scanning GitHub Workflow
> ------------------------------------------------
>
> Key: NIFI-14137
> URL: https://issues.apache.org/jira/browse/NIFI-14137
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The automated GitHub Actions workflows should be updated to include new steps
> that generate a Software Bill-of-Materials and dependency scanning results
> for the NiFi assembly.
> Earlier versions of workflows included running the OWASP dependency check,
> but changes to the database download process increased the time required to
> run the scan.
> The Anchore Syft and Grype tools are open source and licensed under Apache
> Software License Version 2, providing GitHub Action integration through the
> [sbom-action|https://github.com/anchore/sbom-action] and the
> [scan-action|https://github.com/anchore/scan-action]. These tools support not
> only container images, but standard Zip archives and introspection, capable
> of enumerating packaged JAR files. Initial testing shows results produced in
> minutes, making them ideal for automated evaluation. Although the SBOM
> produced should not considered official, it should provide additional options
> for visibility into the packaged dependencies include in the standard NiFi
> assembly.
> Based on how this works, SBOM generation could be considered for additional
> build artifacts in subsequent work.
> This scanning augments existing code quality and compliance capabilities that
> already include Checkstyle, PMD, Apache Rat, and GitHub CodeQL.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
