[jira] [Commented] (HADOOP-18590) Publish SBOM artifacts

Thu, 13 Apr 2023 13:45:07 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712068#comment-17712068
 ] 

ASF GitHub Bot commented on HADOOP-18590:
-----------------------------------------

dongjoon-hyun opened a new pull request, #5555:
URL: https://github.com/apache/hadoop/pull/5555

   ### Description of PR
   
   This is a second try of #5281 with new `cyclonedx` plugin `2.7.6`.
   
   This PR aims to publish SBOM artifacts.
   
   - https://cwiki.apache.org/confluence/display/COMDEV/SBOM
   
   Here is an article to give some context.
   - 
https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/
   
   Software Bill of Materials (SBOM) are additional artifacts containing the 
aggregate of all direct and transitive dependencies of a project. The US 
Government (based on NIST recommendations) currently accepts only the three 
most popular SBOM standards as valid, namely: 
[CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) 
tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software 
Package Data Exchange® (SPDX)](https://spdx.dev/).
   
   This PR uses [CycloneDX maven 
plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight 
software bill of materials (SBOM) standard designed for use in application 
security contexts and supply chain component analysis.
   
   ### How was this patch tested?
   
   Manually. For example, `hadoop-auth-3.4.0-SNAPSHOT.jar` will have 
`hadoop-auth-3.4.0-SNAPSHOT-cyclonedx.xml` and 
`hadoop-auth-3.4.0-SNAPSHOT-cyclonedx.json` SBOM files additionally.
   
   ```
   $ mvn --version
   Apache Maven 3.9.1 (2e178502fcdbffc201671fb2537d0cb4b4cc58f8)
   Maven home: /opt/homebrew/Cellar/maven/3.9.1/libexec
   Java version: 11.0.18, vendor: Apple Inc., runtime: 
/Library/Java/JavaVirtualMachines/applejdk-11.0.18.10.1.jdk/Contents/Home
   Default locale: en_US, platform encoding: UTF-8
   OS name: "mac os x", version: "13.3", arch: "aarch64", family: "mac"
   
   $ ls -l ~/.m2/repository/org/apache/hadoop/hadoop-auth/3.4.0-SNAPSHOT
   total 1008
   -rw-r--r

> Publish SBOM artifacts
> ----------------------
>
>                 Key: HADOOP-18590
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18590
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 3.4.0
>            Reporter: Dongjoon Hyun
>            Assignee: Dongjoon Hyun
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.2.5
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to