Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOMs for Egeria (all repos) #6621

Open
2 tasks done
planetf1 opened this issue Jun 14, 2022 · 5 comments
Open
2 tasks done

Generate SBOMs for Egeria (all repos) #6621

planetf1 opened this issue Jun 14, 2022 · 5 comments
Labels
cross-project Apply to many repositories in odpi/* enhancement New feature or request pinned Keep open (do not time out) security Security related (high priority)

Comments

@planetf1
Copy link
Member

Is there an existing issue for this?

  • I have searched the existing issues

Please describe the new behavior that that will improve Egeria

SBOMs (Software Bill of Materials) can include information about

  • packages
  • licenses
  • vulnarabilities

as part of the information on the software supply chain. See https://en.wikipedia.org/wiki/Software_supply_chain

SBOMs should be associated with each deliverable - for example maven artifact, distribution, container. They also must be signed

The two main formats are:

  • SPDX
  • CycloneDX

Tooling is available for a variety of languages, though it is still very much work in progress.

Organizations are increasingly focussing on software supply chain, so we need to look at what some (small) steps are that we can take in Egeria to make this easier.

Creation of SBOMs has been one suggestion - this may involve either build-time creation through a maven/gradle plugin, or use of external tools.

Alternatives

No response

Any Further Information?

No response

Would you be prepared to be assigned this issue to work on?

  • I can work on this
@planetf1 planetf1 added enhancement New feature or request triage New bug/issue which needs checking & assigning labels Jun 14, 2022
@planetf1 planetf1 self-assigned this Jun 14, 2022
@planetf1 planetf1 added security Security related (high priority) and removed triage New bug/issue which needs checking & assigning labels Jun 14, 2022
@planetf1
Copy link
Member Author

Observation: Sonatype Life (which scans our code) can generate CycloneDX SBOMs with vulnarability information. See https://lift.sonatype.com/results/github.com/odpi/egeria/01G5PTAEMBCH6PTJ4F8GFTVQAV?tab=dependencies
Screenshot 2022-06-17 at 11 54 16

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label Aug 17, 2022
@planetf1 planetf1 removed the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label Aug 17, 2022
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label Oct 17, 2022
@planetf1 planetf1 removed the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label Oct 31, 2022
@planetf1 planetf1 added the cross-project Apply to many repositories in odpi/* label Dec 5, 2022
@github-actions
Copy link

github-actions bot commented Feb 7, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label Feb 7, 2023
@planetf1 planetf1 added pinned Keep open (do not time out) and removed no-issue-activity Issues automatically marked as stale because they have not had recent activity. labels Feb 7, 2023
@planetf1
Copy link
Member Author

See also https://github.blog/2023-03-28-introducing-self-service-sboms/ & referenced actions

@planetf1 planetf1 removed their assignment May 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cross-project Apply to many repositories in odpi/* enhancement New feature or request pinned Keep open (do not time out) security Security related (high priority)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@planetf1