You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2022/11/30 16:14:28 UTC

[GitHub] [solr] raboof opened a new pull request, #1203: introduce org.cyclonedx.bom gradle plugin

raboof opened a new pull request, #1203:
URL: https://github.com/apache/solr/pull/1203

   This draft PR shows one way to generate an SBOM for Solr, mostly for discussion at https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz . If we want to take this further I'll create a JIRA issue and fill out the rest of the PR template ;).
   
   (I haven't looked in depth at the quality of the output yet, as at this point I just wanted a starting point for experimenting with VEX)
   
   https://issues.apache.org/jira/browse/SOLR-XXXXX
   
   <!--
   _(If you are a project committer then you may remove some/all of the following template.)_
   
   Before creating a pull request, please file an issue in the ASF Jira system for Solr:
   
   * https://issues.apache.org/jira/projects/SOLR
   
   For something minor (i.e. that wouldn't be worth putting in release notes), you can skip JIRA. 
   To create a Jira issue, you will need to create an account there first.
   
   The title of the PR should reference the Jira issue number in the form:
   
   * SOLR-####: <short description of problem or changes>
   
   SOLR must be fully capitalized. A short description helps people scanning pull requests for items they can work on.
   
   Properly referencing the issue in the title ensures that Jira is correctly updated with code review comments and commits. -->
   
   
   # Description
   
   Please provide a short description of the changes you're making with this pull request.
   
   # Solution
   
   Please provide a short description of the approach taken to implement your solution.
   
   # Tests
   
   Please describe the tests you've developed or run to confirm this patch implements the feature or solves the problem.
   
   # Checklist
   
   Please review the following and check all that apply:
   
   - [ ] I have reviewed the guidelines for [How to Contribute](https://wiki.apache.org/solr/HowToContribute) and my code conforms to the standards described there to the best of my ability.
   - [ ] I have created a Jira issue and added the issue ID to my pull request title.
   - [ ] I have given Solr maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended)
   - [ ] I have developed this patch against the `main` branch.
   - [ ] I have run `./gradlew check`.
   - [ ] I have added tests for my changes.
   - [ ] I have added documentation for the [Reference Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

Posted by "raboof (via GitHub)" <gi...@apache.org>.
raboof commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-1892358239

   > We should create a JIRA for this btw.
   
   Created https://issues.apache.org/jira/browse/SOLR-16796
   
   There's probably more to improve from here, such as:
   * Generating SBOMs 'per artifact' rather than one big one for all of Solr?
   * Publishing nightly boms to https://security-tools-ec2-va.apache.org/
   * Publishing the SBOM as a release artifact
   
   .. but this might already be a nice start.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

Posted by "dsmiley (via GitHub)" <gi...@apache.org>.
dsmiley commented on code in PR #1203:
URL: https://github.com/apache/solr/pull/1203#discussion_r1456564684


##########
gradle/validation/cyclonedx-bom.gradle:
##########
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This adds CycloneDX BOM generation of project dependencies
+
+// If -Pvalidation.cyclonedx-bom=true is set the CycloneDX BOM generation will also run as part of the check task.
+
+configure(rootProject) {
+  cyclonedxBom {
+    includeConfigs = ["runtimeClasspath"]
+    skipConfigs = ["compileClasspath", "testCompileClasspath"]
+    projectType = "application"
+    schemaVersion = "1.4"
+    destination = file("build/reports")
+    outputName = "cyclonedx-bom"
+    outputFormat = "all"
+    includeBomSerialNumber = true
+  }
+
+  // Unless explicitly enabled, do not attach owasp to check. It has a large download

Review Comment:
   What does CycloneDX have to do with OWASP?  What checking/verification does `cyclonedxBom` do?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

Posted by "ErnestoLeon87 (via GitHub)" <gi...@apache.org>.
ErnestoLeon87 commented on code in PR #1203:
URL: https://github.com/apache/solr/pull/1203#discussion_r1474943561


##########
gradle/validation/cyclonedx-bom.gradle:
##########
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This adds CycloneDX BOM generation of project dependencies
+
+// If -Pvalidation.cyclonedx-bom=true is set the CycloneDX BOM generation will also run as part of the check task.
+
+configure(rootProject) {
+  cyclonedxBom {
+    includeConfigs = ["runtimeClasspath"]
+    skipConfigs = ["compileClasspath", "testCompileClasspath"]
+    projectType = "application"
+    schemaVersion = "1.4"
+    destination = file("build/reports")
+    outputName = "cyclonedx-bom"
+    outputFormat = "all"
+    includeBomSerialNumber = true
+  }
+
+  // Unless explicitly enabled, do not attach owasp to check. It has a large download

Review Comment:
   It helps you to build a bom.xml/json file so you can evaluate that file later on Sonatype Lifecycle and see your app vulnerabilities. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] HoustonPutman commented on pull request #1203: introduce org.cyclonedx.bom gradle plugin

Posted by "HoustonPutman (via GitHub)" <gi...@apache.org>.
HoustonPutman commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-1540644941

   We should create a JIRA for this btw.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-2030817225

   This PR had no visible activity in the past 60 days, labeling it as stale. Any new activity will remove the stale label. To attract more reviewers, please tag someone or notify the dev@solr.apache.org mailing list. Thank you for your contribution!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] risdenk commented on pull request #1203: introduce org.cyclonedx.bom gradle plugin

Posted by "risdenk (via GitHub)" <gi...@apache.org>.
risdenk commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-1419320590

   @raboof I pushed a change to your PR branch that moves the logic to `gradle/validation/cyclonedx-bom.gradle` to match other build plugins. As far as I can tell this is a decent first step.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] risdenk commented on a diff in pull request #1203: introduce org.cyclonedx.bom gradle plugin

Posted by GitBox <gi...@apache.org>.
risdenk commented on code in PR #1203:
URL: https://github.com/apache/solr/pull/1203#discussion_r1061863631


##########
build.gradle:
##########
@@ -28,6 +28,19 @@ plugins {
   id "net.ltgt.errorprone" version "3.0.1" apply false
   id 'com.diffplug.spotless' version "6.5.2" apply false
   id 'com.github.node-gradle.node' version '3.4.0' apply false
+  id 'org.cyclonedx.bom' version '1.7.2'
+}
+
+cyclonedxBom {
+  includeConfigs = ["runtimeClasspath"]
+  skipConfigs = ["compileClasspath", "testCompileClasspath"]
+  projectType = "application"
+  schemaVersion = "1.4"
+  destination = file("build/reports")
+  outputName = "CycloneDX-Sbom"
+  outputFormat = "all"
+  includeBomSerialNumber = true
+  componentVersion = "2.0.0"
 }

Review Comment:
   This should end up in a separate config file like `gradle/validation/cyclonedx.gradle` - another example of similar config would be any of the files in `gradle/validation`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] epugh commented on pull request #1203: introduce org.cyclonedx.bom gradle plugin

Posted by "epugh (via GitHub)" <gi...@apache.org>.
epugh commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-1529022396

   @gus-asf you may find this idea interesting ;-)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

Posted by "janhoy (via GitHub)" <gi...@apache.org>.
janhoy commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-2083639846

   I'm positive to including this as a first step and then proceeding with publishing SBOM as a release artifact as proposed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org