You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@avro.apache.org by "Martin Tzvetanov Grigorov (Jira)" <ji...@apache.org> on 2023/02/16 08:35:00 UTC

[jira] [Comment Edited] (AVRO-3700) Publish Java SBOM artifacts with CycloneDX

    [ https://issues.apache.org/jira/browse/AVRO-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17689613#comment-17689613 ] 

Martin Tzvetanov Grigorov edited comment on AVRO-3700 at 2/16/23 8:34 AM:
--------------------------------------------------------------------------

The CycloneDX started causing problems with the "Maven reproducible build" checks: [https://github.com/apache/avro/actions/runs/4192022965/jobs/7267089974]

I haven't investigated what exactly introduced the problem but all new Java related [PRs|https://github.com/apache/avro/pulls] now fail with the above problem.


was (Author: mgrigorov):
The CycloneDX started causing problems with the "Maven reproducible build" checks: [https://github.com/apache/avro/actions/runs/4192022965/jobs/7267089974]

I haven't investigated what exactly introduced the problem but all new Java related [PRs|https://github.com/apache/avro/pulls now fail with the above problem.

> Publish Java SBOM artifacts with CycloneDX
> ------------------------------------------
>
>                 Key: AVRO-3700
>                 URL: https://issues.apache.org/jira/browse/AVRO-3700
>             Project: Apache Avro
>          Issue Type: Sub-task
>          Components: build
>    Affects Versions: 1.12.0
>            Reporter: Dongjoon Hyun
>            Assignee: Dongjoon Hyun
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.12.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> h3. Why are the changes needed?
> Here is an article to give some context.
>  - [https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/]
> Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX]([https://cyclonedx.org/]), [Software Identification (SWID) tag]([https://csrc.nist.gov/projects/Software-Identification-SWID]), [Software Package Data Exchange® (SPDX)]([https://spdx.dev/]).
> This PR uses [CycloneDX maven plugin]([https://github.com/CycloneDX/cyclonedx-maven-plugin]), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)