| Re: [eclipse.org-architecture-council] Adding SBOM Generation to Builds |
Hi Wayne,
I spent some time to follow the recommendations and provide SBOM for Memory Analyzer. I tried to summarize my questions / feedback below.
I wasn’t sure if replying to the AC list is the appropriate way to give feedback – if you think this is spamming the list, let’s move this to an issue on the sbom project and continue the discussion there.
- I’ve seen the announcement about a zoom session on the SBOM topic on 12 October, but couldn’t join. I cannot find the recording for it – sorry if I am asking questions which were already covered there
- Somewhat unclear relation between dash-license and other SBOM generators – the handbook mentions dash-license both as a replacement for the IP logs, but also that the output of dash could be used as SBOM (for the moment?). I was unsure and added both to the build. Assuming at some moment sboms with cyclonedx or others would be required, will the dash-license tool integration still be needed (it does answer the question if a particular dependency is permitted for use within Eclipse, rather than simply listing the dependency)? I suppose it might be too early to answer this, but later we should try to be clearer.
- Taking dash-license as an example, it was really straightforward to use both dash-license and cyclonedx and produce _some_ output – I don’t recall how I ended up looking into dash-license, but it is very helpful to point in the documentation to a specific project
- About the output – this is where I am still most uncertain.
- I’ll need to give a short overview of what we are building, I hope this would make to following questions then clearer:
- MAT is built with Tycho and what is produced by the project itself is a set of eclipse-plugins
- We have an update site in the MAT downloads space – it includes only MAT’s plugins + a selection of BIRT plugins. We do aggregate all dependencies we need in our update site. These plugins are also contributed to the Simrel repo, but this is I guess a separate topic
- We also build and provide for download a standalone RCP application
- What should be the content of the sbom and how many sboms we need for the concrete MAT case?
- The aggregated sbom of the tycho build seems to be the most useful one – although I think (still have to check in all-details) it contains a few dependencies more than what we actually package in the standalone product
- Should we try to produce a separate sbom for the update site? The aggregated one contains way more than what is provided on the update site. All dependencies would be resolved upon installation. I read https://gitlab.eclipse.org/eclipsefdn/emo-team/sbom/-/issues/3 as “we don’t need an sbom for the update-site”, but still wanted to double-check
- Should the sbom contain strictly only the pieces which are provided for download? MAT has a “works-with” dependency on IBM’s DTFJ libraries. We don’t package them within the standalone application and they are not provided on MAT’s download site. Should they be part of the SBOM (currently they are listed in it)
- Somewhat related to the previous point – the documentation (https://gitlab.eclipse.org/eclipsefdn/emo-team/sbom/-/blob/main/docs/sbom.adoc) states what maven scopes are selected by default and how they might be changed. I would rather expect a recommendation for Eclipse projects what should be selected (probably a few different examples if there are different use-cases). I was for example wondering if “includeCompileScope” should be selected or not for MAT
- It would be helpful to have a few Eclipse specific recommendations/examples how to select the “projectType”, e.g. should we set it to application for our standalone MAT application (or for the EPP packages)? And if so, if a separate sbom is needed for the update-site, we’d need a different type there…
- Where should we put the output (sbom.json)? For now, it is just saved as build results and available from the Jenkins server (looked at dash)
- It would be helpful to have a Tycho build example – so far, I haven’t done any config different than Dash (which is “plain” maven). But if we figure out that in order to get precise results with Tycho some specifics are needed, it would be helpful to have some tycho specific examples (or to point to a concrete project as an example)
- About metadata
- Currently the doc states something like “Specify all of the metadata” and some examples. Are all of these equally important, or are there pieces which are mandatory and some which are nice to have?
- I think it would be helpful to have some specific examples in the context of Eclipse
- Organization – is this the project (this is what Dash did), or is it Eclipse, or something else? I.e. for MAT is it correct to specify organization name “Eclipse Memory Analyzer Project” and url https://projects.eclipse.org/projects/tools.mat (not our web site on eclipse.dev) ?
- Issues – an example for Bugzilla (as long as sboms requirements are rolled out before the deprecation)
- I didn’t understand if license information in the MANIFEST.MF files is mandatory (it was missing in our pom.xml files, and I’ll add it there, and we have it in about files)
These are the things I thought abouts so far. Hope this sbom-newbie view helps :-)
_______________________________________________
Krum
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation
My working day may not be your working day! Please don’t feel obliged to read or reply to this e-mail outside of your normal working hours.