You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by "oscerd (via GitHub)" <gi...@apache.org> on 2023/01/31 13:58:10 UTC
[GitHub] [camel-quarkus] oscerd opened a new pull request, #4461: Provide SBOM for Camel-Quarkus project
oscerd opened a new pull request, #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461
Signed-off-by: Andrea Cosentino <an...@gmail.com>
<!-- Uncomment and fill this section if your PR is not trivial
[x] An issue should be filed for the change unless this is a trivial change (fixing a typo or similar). One issue should ideally be fixed by not more than one commit and the other way round, each commit should fix just one issue, without pulling in other changes.
[x] Each commit in the pull request should have a meaningful and properly spelled subject line and body. Copying the title of the associated issue is typically enough. Please include the issue number in the commit message prefixed by #.
[x] The pull request description should explain what the pull request does, how, and why. If the info is available in the associated issue or some other external document, a link is enough.
[x] Phrases like Fix #<issueNumber> or Fixes #<issueNumber> will auto-close the named issue upon merging the pull request. Using them is typically a good idea.
[x] Please run mvn process-resources -Pformat (and amend the changes if necessary) before sending the pull request.
[x] Contributor guide is your good friend: https://camel.apache.org/camel-quarkus/latest/contributor-guide.html
-->
Fixes #4459
So this is a first iteration for having a SBOM for Camel-Quarkus.
Generation time on a free repository: 41 minutes for me.
SBOM dimensions: Around 8 MB
My proposal:
- In Camel we have a github action running every Sunday at 14:30. The action will rebase on particular branch "regen_bot_sbom", run the sbom generation, commit and create a PR with the SBOM updated.
For the moment, the camel-sbom on Camel and camel-quarkus-sbom are not part of release process, so there want be an artifact for them. They are descriptors more or less.
Let me know what you think and if you have proposals/doubts/discussions. Thank you
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] oscerd commented on pull request #4461: Provide SBOM for Camel-Quarkus project
Posted by "oscerd (via GitHub)" <gi...@apache.org>.
oscerd commented on PR #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461#issuecomment-1412011430
> I'm fine with it in principal. Lets see what @ppalaga thinks.
>
> Can we add the `camel-quarkus-sbom` directory to the list of `path-ignores`. There's no need to run a CI cycle for changes in those files, right?
No need for run a CI cycle for them, no. The idea is more or less this: https://github.com/apache/camel-spring-boot/blob/main/.github/workflows/generate-sbom-main.yml
Having a GH action doing this once a week and open a PR with the regenerated SBOMs.
>
> https://github.com/apache/camel-quarkus/blob/main/.github/workflows/ci-build.yaml#L27
I'll update the PR
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] oscerd commented on pull request #4461: Provide SBOM for Camel-Quarkus project
Posted by "oscerd (via GitHub)" <gi...@apache.org>.
oscerd commented on PR #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461#issuecomment-1412012392
> No strong advice. I would see sbom as becoming more and more important, so +1 On a side note, I wonder how git would handle such large files 8Mb, hundred of thousand lines, each week. Seems it's working on Camel side.
>
> As a last note, I wonder whether there would be something special linked to Quarkus. Like are deployment items to be included in sbom ? I would say yes... still now strong advice.
Everything in the modules should be part of the generated aggregated SBOM, so they should be there.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] aldettinger commented on pull request #4461: Provide SBOM for Camel-Quarkus project
Posted by "aldettinger (via GitHub)" <gi...@apache.org>.
aldettinger commented on PR #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461#issuecomment-1412007960
No strong advice. I would see sbom as becoming more and more important, so :+1:
On a side note, I wonder how git would handle such large files 8Mb, hundred of thousand lines, each week. Seems it's working on Camel side.
As a last note, I wonder whether there would be something special linked to Quarkus. Like are deployment items to be included in sbom ? I would say yes... still now strong advice.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] oscerd commented on pull request #4461: Provide SBOM for Camel-Quarkus project
Posted by "oscerd (via GitHub)" <gi...@apache.org>.
oscerd commented on PR #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461#issuecomment-1412022718
> I'm fine with it in principal. Lets see what @ppalaga thinks.
>
> Can we add the `camel-quarkus-sbom` directory to the list of `path-ignores`. There's no need to run a CI cycle for changes in those files, right?
>
> https://github.com/apache/camel-quarkus/blob/main/.github/workflows/ci-build.yaml#L27
Added to paths-ignore.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] jamesnetherton commented on pull request #4461: Provide SBOM for Camel-Quarkus project
Posted by "jamesnetherton (via GitHub)" <gi...@apache.org>.
jamesnetherton commented on PR #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461#issuecomment-1411604226
I'm fine with it in principal. Lets see what @ppalaga thinks.
Can we add the `camel-quarkus-sbom` directory to the list of `path-ignores`. There's no need to run a CI cycle for changes in those files, right?
https://github.com/apache/camel-quarkus/blob/main/.github/workflows/ci-build.yaml#L27
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] ppalaga merged pull request #4461: Provide SBOM for Camel-Quarkus project
Posted by "ppalaga (via GitHub)" <gi...@apache.org>.
ppalaga merged PR #4461:
URL: https://github.com/apache/camel-quarkus/pull/4461
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org