Skip to content

Outreachy: Software Bill Of Materials Refinements: Project SmoothBOM

Jump to bottom
Shelley Lambert edited this page Dec 23, 2022 · 9 revisions

Project description

An SBOM, or Software Bill of Materials, is an artifact that is created at build time to capture important information about "what went into the build".  This 'SmoothBOM' project will focus on refinements to our Eclipse Temurin SBOM.  The project will involve a fair amount of experimentation to rerun builds with variations of dependencies found using the 'strace' utility, in order to determine what dependencies have an impact on build reproducibility. 

We would like help from an Outreachy intern to verify the Eclipse Temurin SBOM, for example:

  • validate our SBOM content is well-formed json before we publish it using the SBOM CLI tool
  • check that the contents of the SBOM are complete enough to reflect our build (with SHAs, tool versions etc) and contain all the information required to reproduce a build (so that it is binary identical) - adapt an existing or develop a new Jenkins pipeline script to take an SBOM artifact as input, to launch a new build, which would be binary identical to the build that the SBOM originated from

Project reading

Project tasks

  1. Issue 3018: Before we publish our SBOM content, we must ensure that it is in a valid json format using the SBOM CLI tool. This can likely be triggered from a Post-build job (see diagram below), but can first be implemented as a standalone test and incorporated into the build pipeline later. (useful reading includes: Testcontainers quick start)

  2. Issue 3158: Sign the SBOM using JSF (rather than the current way it is done via the same mechanism as how we sign the tarballs), see this comment for the new approach to signing that we would like to use. - an update to the SBOM creation step (useful reading includes: JSF doc & sample code for signAndVerify json documents).

  3. Issue 3174: Update our CI Jenkins build SBOM generating APIs to produce a complete list of linux package dependencies depending on the build process' active strace, utilizing the Temurin package determination scripting that is already in place. - in the SBOM creation step (as per diagram below)

  4. Issue 3104: Verify that the SBOM contains all the necessary information to duplicate a build and is complete enough to reflect our build (including SHAs, tool versions, etc). (so that it is binary identical)

Screen Shot 2022-12-21 at 10 04 58 AM

Participants

Intern: Atuhwera Julian

Mentors: Andrew Leonard, Wen Zhou, Shelley Lambert

Clone this wiki locally