Dear ONAP team, I am bumping this conversation in case anyone needs more information on how SBOM generator works and how to enable it. I would also recommend for teams to try this manually in your workspace and ask me any questions.
One of the issues we are working on is the transitive dependencies errors which you might not notice if your workspace has a complete ONAP tree built and cloned. Will update you more on this. Thanks a ton! Jess On Thu, Mar 17, 2022 at 11:37 AM jwagantall via lists.onap.org <jwagantall= [email protected]> wrote: > Dear ONAP team > > We have implemented a new feature in global-jjb for SPDX SBOM Generator > reports to be > optionally produced as part of the autorelease package for Maven staged > release candidates. > > *What is it?* > > *Software Package Data Exchange (SPDX)* is an open standard for > communicating > software bill of materials (SBOM) information that supports accurate > identification of software > components, explicit mapping of relationships between components, and the > association of > security and licensing information with each component. > > In global-jjb "lf-infra-maven-sbom-generator" is an optional builder step > for the "gerrit-maven-stage" job. > > > *How to use it?* > > To enable SPDX SBOM Generator, set "*sbom-generator*" to true for your > gerrit-maven-stage jobs. > *This feature is disabled by default for all projects* > > Optional variables: > - "*sbom-flags*" to pass any optional flags to the executor according to: > https://github.com/opensbom-generator/spdx-sbom-generator > - "*sbom-generator-version*" to use a specific SPDX SBOM Generator version > (default is "v0.0.10") > > Code example: > > - gerrit-maven-stage: > * sbom-generator: true* > *sbom-flags: "-p test/path/example"* > *sbom-generator-version: v0.0.13* > > > *What does it do?* > > When "sbom-generator" is true, "gerrit-maven-stage" will run SPDX SBOM > Generator tool to generate a software bill of materials > with current package managers. > > This report will be part of the "autorelease" package for a staged release > candidate. For example: > https://nexus.onap.org/content/repositories/autorelease-318953/ > > > *Where can I learn more about it?* > > More about SPDX SBOM Generator: > https://github.com/opensbom-generator/spdx-sbom-generator > More about maven-stage: > https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-maven-stage > Maven-stage code: > https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml#L817 > > > If you have any questions or need assistance, please contact > https://support.linuxfoundation.org/ > > Thank you! > Jess > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8667): https://lists.onap.org/g/onap-tsc/message/8667 Mute This Topic: https://lists.onap.org/mt/90998187/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/21656/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
