Hi Jarek,
On 7.11.2024 02:48, Jarek Potiuk wrote:
As I understand - most Java project that use maven, can simply use
cyclonedx-maven plugin https://github.com/CycloneDX/cyclonedx-maven-plugin and
I guess basically that's how you start - and I think that's where JDO team
can start.
Airflow - being mostly a Python + some javascript project uses CDXGEN
https://cyclonedx.github.io/cdxgen/. - which is another way of generating
sboms (and they have a number of tutorials), but likely the maven route is
simpler for those who already use maven.
I personally do not know much about the maven plugin, so can't say more -
but probably looking at the docs and looking at other - similar - projects
in the list above and seeing how they are producing it, might be is a good
start, and maybe the JDO team could ask their questions in the thread here
after following the cyclonedx maven plugin docs and looking at the other
list.
For completeness' sake, there are actually two Maven plugins for SBOMs:
* `cyclonedx-maven-plugin` produces SBOMs in CycloneDX format[1], which
is an Ecma standard of the OWASP Foundation.
* `spdx-maven-plugin`[2] produces SBOMs in SPDX[3] format, which is an
ISO standard of the Linux Foundation.
It would be recommended to use both formats, although at Logging
Services we admittedly only use CycloneDX, because it is reproducible[4]
and has an ASF maintainer (Hervé).
Both plugins are pretty straightforward to use. The philosophy of the
CycloneDX plugin (as with most Maven plugins) is to give users only a
few choices and have the right defaults. The most important choices IMHO
are:
* whether to also publish an aggregated SBOM for the Maven aggregator
module (`org.apache:jdo` in your case) or not. The aggregated SBOM
basically merges all the SBOM of the multi-module Maven project. Its
usefulness is debatable.
* what external references[5] do you want to appear in your SBOM. The
list of possible references is long[6], but you should at least check
those that are automatically added. This is when we discovered that most
of the URLs in our POMs did not resolve and we had to add magical
`child.*.inherit.append.path`[7] attributes to the parent.
Piotr
[1] https://cyclonedx.org/
[2] https://github.com/spdx/spdx-maven-plugin
[3] https://spdx.dev/
[4] https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[5]
https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html
[6] https://cyclonedx.org/docs/1.6/json/#externalReferences_items_type
[7] https://maven.apache.org/ref/3.9.9/maven-model-builder/
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
