sboorlagadda commented on PR #7933: URL: https://github.com/apache/geode/pull/7933#issuecomment-3342116332
> Hi @sboorlagadda, Thanks for stepping up and putting together a solid proposal. It’s great to see this moving forward. Curious—are we envisioning SBOM generation as part of every build, or is there flexibility depending on context? As we prepare for the Java 21+ upgrade in Geode 2.0, it's equally important to ensure readiness for Gradle 8.5. This alignment will help us avoid any build-time surprises and keep our integration smooth. Thanks for the feedback and great questions! Let me address both points: **SBOM Generation Flexibility:** The proposal includes context-aware generation with multiple options: - **Developer builds**: Optional by default (`./gradlew build` unchanged) - **CI/CD builds**: Automatic generation via `generateSbom` task - **Release builds**: Mandatory inclusion in distribution artifacts - **On-demand**: `./gradlew generateSbom` for specific needs This approach ensures zero disruption to daily development while guaranteeing SBOM artifacts for releases and security scanning. **Gradle 8.5 & Java 21+ Readiness:** Excellent point on future-proofing! The CycloneDX plugin choice specifically addresses this: - **CycloneDX 3.0+**: Already Gradle 8.x compatible with active Java 21 testing - **SPDX plugin**: Currently 0.9.0 with limited Gradle 8 support roadmap I can validate Gradle 8.5 compatibility during the Phase 1 implementation and provide a migration path if needed. The modular approach in the proposal allows us to swap plugins without changing the overall architecture. Would you prefer I add explicit Gradle 8.5 validation as a Phase 1 deliverable, or would a compatibility assessment during implementation be sufficient? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
