You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@orc.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2023/01/05 07:41:00 UTC
[jira] [Resolved] (ORC-1342) Publish SBOM artifacts
[ https://issues.apache.org/jira/browse/ORC-1342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun resolved ORC-1342.
--------------------------------
Fix Version/s: 1.7.8
1.8.2
Resolution: Fixed
Issue resolved by pull request 1353
[https://github.com/apache/orc/pull/1353]
> Publish SBOM artifacts
> ----------------------
>
> Key: ORC-1342
> URL: https://issues.apache.org/jira/browse/ORC-1342
> Project: ORC
> Issue Type: New Feature
> Components: Java
> Affects Versions: 1.9.0, 1.8.2, 1.7.8
> Reporter: Dongjoon Hyun
> Assignee: Dongjoon Hyun
> Priority: Major
> Fix For: 1.7.8, 1.8.2
>
>
> h3. What changes were proposed in this pull request?
> This issue aims to publish `SBOM` artifacts.
> h3. Why are the changes needed?
> Here is an article to give some context.
> - [https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/]
> Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX]([https://cyclonedx.org/]), [Software Identification (SWID) tag]([https://csrc.nist.gov/projects/Software-Identification-SWID]), [Software Package Data Exchange® (SPDX)]([https://spdx.dev/]).
> This PR uses [CycloneDX maven plugin]([https://github.com/CycloneDX/cyclonedx-maven-plugin]), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
> For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following.
> {code:java}
> $ tree ~/.m2/repository/org/apache/orc/orc-core
> /Users/dongjoon/.m2/repository/org/apache/orc/orc-core
> ├── 1.9.0-SNAPSHOT
> │ ├── _remote.repositories
> │ ├── maven-metadata-apache.snapshots.xml
> │ ├── maven-metadata-apache.snapshots.xml.sha1
> │ ├── maven-metadata-local.xml
> │ ├── orc-core-1.9.0-20230103.231254-184.jar
> │ ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
> │ ├── orc-core-1.9.0-20230103.231254-184.pom
> │ ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
> │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
> │ ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
> │ ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
> │ ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
> │ ├── orc-core-1.9.0-SNAPSHOT-sources.jar
> │ ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
> │ ├── orc-core-1.9.0-SNAPSHOT-tests.jar
> │ ├── orc-core-1.9.0-SNAPSHOT.jar
> │ ├── orc-core-1.9.0-SNAPSHOT.pom
> │ └── resolver-status.properties
> └── maven-metadata-local.xml
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)