cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Possible to include commit identifier in BOM?

Open io7m opened this issue 2 years ago • 12 comments

Hello!

Via the buildnumber-maven-plugin, I have access to the SCM revision that was used to produce whatever is in the current BOM. The revision is accessible via the ${buildNumber} property.

Is there some way to get this information into the produced BOM? I can't see an obvious way to include properties in the BOM, or to include that information in any other way...

io7m avatar Nov 10 '23 10:11 io7m

did you see in CycloneDX schema any location that would be ok to record that type of info? somewhere in metadata https://cyclonedx.org/docs/1.5/json/#metadata? or in formulation https://cyclonedx.org/docs/1.5/json/#formulation?

hboutemy avatar Jan 15 '24 14:01 hboutemy

or even pedigree as in #448 https://cyclonedx.org/docs/1.5/json/#metadata_component_pedigree

hboutemy avatar Jan 15 '24 15:01 hboutemy

Hello! I had intended to just stick it in metadata/properties. If there's a preferred place to put it, I'd gladly use that. I couldn't see any, though.

io7m avatar Jan 15 '24 19:01 io7m

yes, never seen commit info in any of examples https://github.com/CycloneDX/bom-examples and there is no official property id in the taxonomy for such a common practice: https://github.com/CycloneDX/cyclonedx-property-taxonomy

I suppose this would deserve a discussion on CycloneDX Slack general channel

hboutemy avatar Jan 17 '24 07:01 hboutemy

@io7m @hboutemy Is it possible to construct the full commit URL ? (e.g: https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/349fe7cc7fd8b7f2224075b5fe7d73e7f0832140 ), if we can construct the full commit URL, I think it is better to use vcs from the externalReferences (https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type )


    "externalReferences": [
          {
            "url": "https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/349fe7cc7fd8b7f2224075b5fe7d73e7f0832140",
            "type": "vcs"
          },

@stevespringett, @coderpatros , @jkowalleck, @prabhu,@nscuro, @tsjensen Could you please let us know your thoughts on this?

VinodAnandan avatar Jan 20 '24 21:01 VinodAnandan

re https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/427#issuecomment-1902269034

https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/349fe7cc7fd8b7f2224075b5fe7d73e7f0832140

The fact that github allows accessing a certain git commit is just a happy little accident, nothing you should make a general assumption from. Furthermore, a VCS may run cleanup jobs that remove unattached/orphan nodes. And remember: github is just one VCS - do you plan on implementing things for every known VCS out there - and even self-hosted ones?

If you really must do it like this, and you knew the repository URL, then it would be possible to annotate like so:

{
  "url": "git+https://github.com/CycloneDX/cyclonedx-maven-plugin.git#a964c6e80164914e48207239cef29e722a6e87af",
  "type": "vcs"
}

when adding such URLS, be aware, that they might include authentication(username/password) like git+https://__token__:<myaccesstoken>@acme.org/foo/bar.git ! you might want to strip usernames/passwords. here is a regex to find all these secrets: (?<=://)[^/@:]+:[^/@]+@

and it goes one step further with PackageURLs - they allow a qualifier for this purpose: vcs_url see https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs the VCS reference would be added - according to PURL spec (which leverages SPDX spec 3.7) - ala <vcs_tool>+<transport>://<host_name>[/<path_to_repository>][@<revision_tag_or_branch>][#<sub_path>] example values for PURL qualifier vcs_url:

  • git+https://github.com/CycloneDX/cyclonedx-maven-plugin.git@a964c6e80164914e48207239cef29e722a6e87af

re https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/427#issuecomment-1892318138

Formulations might be used. There is a task type "clone" which might be appropriate. But actually I am uncertain, since the documentation for the cases is still missing (@mrutkows https://github.com/CycloneDX/specification/issues/245)

jkowalleck avatar Jan 20 '24 22:01 jkowalleck

since the original request talks about a build number, and build numbers are usually added to the actual version identifiers in form of <version core> "+" <build> compare SemVer, I'd recommend doing the same here.

I'd assume the appropriate thing would be, that the "build number" is added to CycloneDX document as $.metadata.component.version like so:

{
 "metadata": { 
   "component" : {
     "name": "cyclonedx-maven-plugin"
     "version": "1.33.7+a964c6e80164914e48207239cef29e722a6e87af"
   },
   ...
 },
 ...
}

@io7m where do you want to see your build number in the CDX document?

jkowalleck avatar Jan 20 '24 22:01 jkowalleck

@jkowalleck I honestly have no preference. I was just looking at this because:

  • I publish CycloneDX BOMs.
  • I have reproducible builds in all of my projects.
  • I have commit IDs accessible in all of my builds.

Therefore, I thought it would probably be a good idea if someone could look in the BOM and then work backwards from the commit ID to determine the exact original sources that produced the build. I realize the BOM also provides this information (via hashes of binaries), but I thought an extra layer of assurance would be nice to have.

io7m avatar Jan 21 '24 11:01 io7m

I agree with @io7m's notion that the VCS hash is useful metadata. Every commit might influence the SBOM of a project. In fact, I think we even need the information of whether the Git workspace was clean, because otherwise again the SBOM might have been changed in relation to the latest commit.

In order to address this, we defined siemens:vcsRevision and siemens:vcsClean in the Siemens property taxonomy (which you are welcome to use, too).

tsjensen avatar Jan 22 '24 13:01 tsjensen

But thinking further, I believe that eventually, what we want is a vcs section as a first-class citizen in metadata that bundles all this info. External references are not very good for this, because they do not carry the same semantic weight as a metadata/vcs section would.

But it's not like we're in a lot of pain over this at the moment, so we can discuss when the time comes. 🙂

tsjensen avatar Jan 22 '24 13:01 tsjensen

A slightly more basic issue is that there doesn't actually seem to be a way to include extra properties of any kind in the BOM using the cyclonedx-maven-plugin. If there is a way, it doesn't appear to be in the plugin documentation.

io7m avatar Jan 27 '24 13:01 io7m

the plugin has focused until now on Maven dependencies = CycloneDX $.components[]

this commit identifier is about more precisely describing the project being built $.metadata.component: until recently, component being built is described exactly as a dependency component. This changed in 2.7.11 with #428 about adding custom external references, documented in https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html

on git commit, I feel that developers are trying to replace build tool: pom.xml has the Git tag (if release process has been done right at Maven level)

hboutemy avatar Jan 30 '24 11:01 hboutemy