Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible serialNumber generation #420

Closed
ppkarwasz opened this issue Nov 4, 2023 · 1 comment
Closed

Reproducible serialNumber generation #420

ppkarwasz opened this issue Nov 4, 2023 · 1 comment
Labels
enhancement

Comments

@ppkarwasz
Copy link
Contributor

In order to allow the usage of BOM-links from external CycloneDX documents, the generated SBOM should always include a serialNumber.

Currently this is only generated if the reproducibility flag is disabled. We could improve the generation algorithm to generate a deterministic serialNumber. The generating algorithm might depend on:

  • cryptographic hashes of a Maven module artifacts (SBOM excluded, obviously). We can restrict this to the hash of the POM file and main artifact,
  • for the aggregate BOM, it should also consider the serial numbers/hashes of its child modules.
ppkarwasz added a commit to ppkarwasz/logging-parent that referenced this issue Nov 4, 2023
@ppkarwasz
Add serialNumber and VEX references to generate SBOMs
0c83647 
The `cyclonedx-maven-plugin` has still some limitations that prevent it
from publishing a reproducible `serialNumber`
(CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX
document (CycloneDX/cyclonedx-maven-plugin#419 and
CycloneDX/cyclonedx-maven-plugin#421).

This PR provides a temporary workaround that will allow us to produce an
CycloneDX (only the XML version), enhanced with these two elements.
@ppkarwasz ppkarwasz mentioned this issue Nov 4, 2023
Merged
vy added a commit to apache/logging-parent that referenced this issue Nov 6, 2023
@ppkarwasz @vy
Add serialNumber and VEX references to generate SBOMs (#56)
954f7f2 
* Add `serialNumber` and VEX references to generate SBOMs

The `cyclonedx-maven-plugin` has still some limitations that prevent it
from publishing a reproducible `serialNumber`
(CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX
document (CycloneDX/cyclonedx-maven-plugin#419 and
CycloneDX/cyclonedx-maven-plugin#421).

This PR provides a temporary workaround that will allow us to produce an
CycloneDX (only the XML version), enhanced with these two elements.

---------

Co-authored-by: Volkan Yazıcı <volkan@yazi.ci>
vy added a commit to apache/logging-parent that referenced this issue Nov 6, 2023
@ppkarwasz @vy
Add serialNumber and VEX references to generate SBOMs (#56)
7700c97 
* Add `serialNumber` and VEX references to generate SBOMs

The `cyclonedx-maven-plugin` has still some limitations that prevent it
from publishing a reproducible `serialNumber`
(CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX
document (CycloneDX/cyclonedx-maven-plugin#419 and
CycloneDX/cyclonedx-maven-plugin#421).

This PR provides a temporary workaround that will allow us to produce an
CycloneDX (only the XML version), enhanced with these two elements.

---------

Co-authored-by: Volkan Yazıcı <volkan@yazi.ci>
@vy vy mentioned this issue Nov 8, 2023
Closed
11 tasks
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 9, 2023
@vy
Generate serial numbers deterministically (CycloneDX#420)
d610d9f
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 9, 2023
@vy
Generate serial numbers deterministically (CycloneDX#420)
8a8a62c
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 9, 2023
@vy
Generate serial numbers deterministically (CycloneDX#420)
cadd315 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
hboutemy pushed a commit that referenced this issue Dec 9, 2023
@vy @hboutemy
Generate serial numbers deterministically (#420)
0148b85 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
hboutemy added a commit that referenced this issue Dec 9, 2023
@hboutemy
use metadata properties in UUID #420
578f77b
@hboutemy hboutemy mentioned this issue Dec 9, 2023
Merged
hboutemy added a commit that referenced this issue Dec 9, 2023
@hboutemy
use metadata properties in UUID #420
8aaa806 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
hboutemy added a commit that referenced this issue Dec 9, 2023
@hboutemy
use metadata properties in UUID #420
d76e887 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
@hboutemy
Copy link
Contributor

hboutemy commented Jan 14, 2024
edited

done in #425 (updated in #441)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hboutemy @ppkarwasz