Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] Publish SBOM artifacts #15265

Closed
dongjoon-hyun opened this issue Jan 9, 2023 · 4 comments · Fixed by #15267
Closed

[Java] Publish SBOM artifacts #15265

dongjoon-hyun opened this issue Jan 9, 2023 · 4 comments · Fixed by #15267
Assignees
@dongjoon-hyun
Labels
Component: Java Priority: Blocker Marks a blocker for the release Type: enhancement
Milestone
11.0.0

Comments

@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Jan 9, 2023
edited

Describe the enhancement requested

This issue aims to publish SBOM artifacts along with the other Apache projects.

Here is an article to give some context.

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).

We can use one of the Maven plugin, CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

https://maven.apache.org/plugins/index.html#misc

The expected results

$ mvn install -DskipTests
...

$ ls -al /Users/dongjoon/.m2/repository/org/apache/arrow/arrow-memory-core/11.0.0-SNAPSHOT
total 352
drwxr-xr-x  9 dongjoon  staff     288 Jan  9 01:10 .
drwxr-xr-x  7 dongjoon  staff     224 Jan  9 01:10 ..
-rw-r--r--  1 dongjoon  staff     367 Jan  9 01:10 _remote.repositories
-rw-r--r--  1 dongjoon  staff    8025 Jan  9 01:10 arrow-memory-core-11.0.0-SNAPSHOT-cyclonedx.json
-rw-r--r--  1 dongjoon  staff    6993 Jan  9 01:10 arrow-memory-core-11.0.0-SNAPSHOT-cyclonedx.xml
-rw-r--r--  1 dongjoon  staff   34886 Jan  9 01:10 arrow-memory-core-11.0.0-SNAPSHOT-tests.jar
-rw-r--r--  1 dongjoon  staff  110813 Jan  9 01:10 arrow-memory-core-11.0.0-SNAPSHOT.jar
-rw-r--r--  1 dongjoon  staff    3407 Jan  9 01:08 arrow-memory-core-11.0.0-SNAPSHOT.pom
-rw-r--r--  1 dongjoon  staff    1343 Jan  9 01:10 maven-metadata-local.xml

Component(s)

Java
@dongjoon-hyun dongjoon-hyun changed the title Publish SBOM artifacts [Java] Publish SBOM artifacts Jan 9, 2023
@dongjoon-hyun dongjoon-hyun mentioned this issue Jan 9, 2023
Merged
@dongjoon-hyun
Copy link
Member Author

cc @sunchao and @viirya

@viirya
Copy link
Member

viirya commented Jan 9, 2023

Thanks @dongjoon-hyun !

@dongjoon-hyun
Copy link
Member Author

Thank you, @viirya !

@assignUser assignUser added the Priority: Blocker Marks a blocker for the release label Jan 15, 2023
@assignUser
Copy link
Member

assignUser commented Jan 15, 2023
edited

I have added the blocker label as the PR is done and only contingent on the failed gandiva tests.

@raulcd raulcd added this to the 11.0.0 milestone Jan 16, 2023
assignUser pushed a commit that referenced this issue Jan 17, 2023
@dongjoon-hyun
GH-15265: [Java] Publish SBOM artifacts (#15267)
5580f27 
This closes #15265
* Closes: #15265

Authored-by: Dongjoon Hyun <dongjoon@apache.org>
Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
raulcd pushed a commit that referenced this issue Jan 18, 2023
@dongjoon-hyun @raulcd
GH-15265: [Java] Publish SBOM artifacts (#15267)
7b759bc 
This closes #15265
* Closes: #15265

Authored-by: Dongjoon Hyun <dongjoon@apache.org>
Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dongjoon-hyun dongjoon-hyun

Labels
Component: Java Priority: Blocker Marks a blocker for the release Type: enhancement
Projects
None yet
Milestone
11.0.0
Development

Successfully merging a pull request may close this issue.

GH-15265: [Java] Publish SBOM artifacts
4 participants
@viirya @raulcd @dongjoon-hyun @assignUser