Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds

From: Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 5 Oct 2023 08:09:21 -0400
Delivered-to: eclipse.org-architecture-council@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-architecture-council/>
List-help: <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=unsubscribe>

My apologies.

Here's the link:

https://gitlab.eclipse.org/eclipsefdn/emo-team/sbom

I also attempted to include a link to one specific issue: SBOMs don't make sense for individual Eclipse Platform Plug-ins.

I swear that I'm getting worse at this.

/shakes head

Wayne

On Thu, Oct 5, 2023 at 3:36 AM Tsvetkov, Krum via eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx> wrote:

Hi Wayne,

could you share a link to the assembled documentation? Sorry if I missed when it was shared, but I can’t anything besides the short info in the handbook.

> For those of you who have familiarity with the space...

I have no deep understanding in the topic, but I could at least give some feedback as “the unexperienced user of the docs”. Last week I tried to get the Memory Analyzer build to produce an SBOM [1] (by copying what was done in the Dash project). It was straightforward to get “something” generated, but that also raised a few questions, so I could see if I get answers to some of these in the documentation you mentioned.

Regards

Krum

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=582480

From: eclipse.org-architecture-council <eclipse.org-architecture-council-bounces@xxxxxxxxxxx> on behalf of Wayne Beaton via eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx>
Date: Thursday, 5. October 2023 at 04:19
To: eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx>
Subject: [eclipse.org-architecture-council] Adding SBOM Generation to Builds

Hey Architecture Council.

We need your help.

We've discussed options for automating the construction of SBOMs, but our efforts in this regard have not delivered as we had hoped. At this point, we've come to the conclusion that we need to have some help from our project teams to generate them.

At this point, our main focus is to just generate the SBOMs. How and where we make them available to others is also a requirement, but we'll need to defer that for now. This means that anything that we decide now may need to be revised. This is likely going to be an incremental effort.

We've assembled some documentation to describe how to create SBOMs and need your help to make sure that it is correct and complete. We have what I believe is pretty comprehensive documentation to create SBOMs for Maven-based builds of Java libraries and for NPM components, leveraging existing tools.

For those of you who have familiarity with the space... our focus has been on generating CycloneDX SBOMs. We're equally interested in SPDX SBOMs and invite your assistance if you have a particular affinity for SPDX.

Since the tools that we're using generate SBOMs based on metadata, an important first step is that effort be undertaken to ensure that the metadata is complete. This means that things that are not consistently specified in pom.xml files like licenses, need to be specified. We've provided specific advice in the documentation.

We haven't done a lot of work with Eclipse Platform/OSGi content yet; any help that you can provide would be... well... helpful.

So, here's the request... Can you have a look at the content that we've produced, try to apply it to some subset of the projects that you work with, and report back any interesting discoveries, concerns, or issues that you encounter as issues here. If this request sounds a little open-ended or half-baked, that’s because it is. We need your help to move this to a point where we can start working with the general committer community to make this happen.

We've been tinkering with a few repositories, so you might also get copied on a pull request here or there.

Let's also add this as an agenda topic on our next couple of meetings/calls.

Wayne and Mikael

--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

My working day may not be your working day! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.

_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

My working day may not be your working day! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.

Follow-Ups:
- Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds
  - From: Tsvetkov, Krum

References:
- [eclipse.org-architecture-council] Adding SBOM Generation to Builds
  - From: Wayne Beaton
- Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds
  - From: Tsvetkov, Krum

Prev by Date: Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds
Next by Date: Re: [eclipse.org-architecture-council] October in Person Meeting?
Previous by thread: Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds
Next by thread: Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds
Index(es):
- Date
- Thread

Breadcrumbs