This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/spark-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new ad3d2dc [SPARK-53669] Publish SBOM artifacts
ad3d2dc is described below
commit ad3d2dcbc72fb9e1e8bd4bef31ca634fa30d5a47
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Mon Sep 22 19:47:57 2025 -0700
[SPARK-53669] Publish SBOM artifacts
### What changes were proposed in this pull request?
Since Apache Spark 3.4.0, Apache Spark main repository has been providing
`SBOM` artifact. Like the main repository, this PR aims to publish `SBOM`
artifacts of `Apache Spark K8s Operator` artifacts.
- https://github.com/apache/spark/pull/39401
-
https://repo1.maven.org/maven2/org/apache/spark/spark-core_2.13/4.0.1/spark-core_2.13-4.0.1-cyclonedx.xml
### Why are the changes needed?
Here is an article to give some context.
-
https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/
Software Bill of Materials (SBOM) are additional artifacts containing the
aggregate of all direct and transitive dependencies of a project. The US
Government (based on NIST recommendations) currently accepts only the three
most popular SBOM standards as valid, namely:
[CycloneDX](https://cyclonedx.org/), [Software Identification (SWID)
tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software
Package Data Exchange® (SPDX)](https://spdx.dev/).
### Does this PR introduce _any_ user-facing change?
No behavior change.
### How was this patch tested?
Manually run the following command and check the local Maven directory.
**COMMAND**
```
$ gradle publishApachePublicationToMavenLocal -Prelease
```
**BEFORE**
```
$ ls -al ~/.m2/repository/org/apache/spark/spark-operator-api/0.5.0-SNAPSHOT
total 976
drwxr-xr-x 15 dongjoon staff 480 Sep 22 16:26 .
drwxr-xr-x 4 dongjoon staff 128 Sep 22 16:26 ..
-rw-r--r-- 1 dongjoon staff 2632 Sep 22 16:26 maven-metadata-local.xml
-rw-r--r-- 1 dongjoon staff 233151 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar.asc
-rw-r--r-- 1 dongjoon staff 52522 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT-sources.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT-sources.jar.asc
-rw-r--r-- 1 dongjoon staff 17387 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT-tests.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT-tests.jar.asc
-rw-r--r-- 1 dongjoon staff 154249 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT.jar.asc
-rw-r--r-- 1 dongjoon staff 2683 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT.module
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT.module.asc
-rw-r--r-- 1 dongjoon staff 2289 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT.pom
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26
spark-operator-api-0.5.0-SNAPSHOT.pom.asc
```
**AFTER**
```
$ ls -al ~/.m2/repository/org/apache/spark/spark-operator-api/0.5.0-SNAPSHOT
total 5880
drwxr-xr-x 17 dongjoon staff 544 Sep 22 16:27 .
drwxr-xr-x 4 dongjoon staff 128 Sep 22 16:27 ..
-rw-r--r-- 1 dongjoon staff 3050 Sep 22 16:27 maven-metadata-local.xml
-rw-r--r-- 1 dongjoon staff 2505028 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-cyclonedx.xml
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-cyclonedx.xml.asc
-rw-r--r-- 1 dongjoon staff 233151 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar.asc
-rw-r--r-- 1 dongjoon staff 52522 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-sources.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-sources.jar.asc
-rw-r--r-- 1 dongjoon staff 17387 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-tests.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT-tests.jar.asc
-rw-r--r-- 1 dongjoon staff 154249 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT.jar
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT.jar.asc
-rw-r--r-- 1 dongjoon staff 2683 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT.module
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT.module.asc
-rw-r--r-- 1 dongjoon staff 2289 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT.pom
-rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27
spark-operator-api-0.5.0-SNAPSHOT.pom.asc
```
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #332 from dongjoon-hyun/SPARK-53669.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
---
build.gradle | 1 +
deploy.gradle | 6 ++++++
gradle/libs.versions.toml | 2 ++
3 files changed, 9 insertions(+)
diff --git a/build.gradle b/build.gradle
index ea482e8..fdb6e71 100644
--- a/build.gradle
+++ b/build.gradle
@@ -26,6 +26,7 @@ buildscript {
classpath "${libs.spotbugs.gradle.plugin.get()}"
classpath "${libs.spotless.plugin.gradle.get()}"
classpath "${libs.shadow.get()}"
+ classpath "${libs.cyclonedx.bom.get()}"
}
}
diff --git a/deploy.gradle b/deploy.gradle
index be2e151..0831e3a 100644
--- a/deploy.gradle
+++ b/deploy.gradle
@@ -22,6 +22,7 @@ if (project.hasProperty('release') &&
JavaVersion.current().getMajorVersion().to
}
subprojects {
+ apply plugin: 'org.cyclonedx.bom'
apply plugin: 'maven-publish'
apply plugin: 'signing'
afterEvaluate {
@@ -68,6 +69,11 @@ subprojects {
artifact sourceJar
artifact javadocJar
artifact testJar
+ artifact("$buildDir/reports/bom.xml") {
+ classifier 'cyclonedx'
+ extension 'xml'
+ builtBy tasks.named('cyclonedxBom')
+ }
versionMapping {
allVariants {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index d1756b3..8a6b06e 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -36,6 +36,7 @@ spotbugs-plugin = "6.4.2"
spotless-plugin = "6.25.0"
# Packaging
+cyclonedx = "2.4.1"
shadow-jar-plugin = "8.3.6"
[libraries]
@@ -65,3 +66,4 @@ junit-platform-launcher = { group = "org.junit.platform",
name = "junit-platform
spotbugs-gradle-plugin = { group = "com.github.spotbugs.snom", name =
"spotbugs-gradle-plugin", version.ref = "spotbugs-plugin" }
spotless-plugin-gradle = { group = "com.diffplug.spotless", name =
"spotless-plugin-gradle", version.ref = "spotless-plugin" }
shadow = { group = "com.gradleup.shadow", name = "shadow-gradle-plugin",
version.ref = "shadow-jar-plugin"}
+cyclonedx-bom = { group = "org.cyclonedx.bom", name =
"org.cyclonedx.bom.gradle.plugin", version.ref = "cyclonedx" }
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
