solr icon indicating copy to clipboard operation
solr copied to clipboard

Published 20 hours ago verified publisher icon apache

SOLR-16796: introduce org.cyclonedx.bom gradle plugin

Open raboof opened this issue 3 years ago • 6 comments

This draft PR shows one way to generate an SBOM for Solr, mostly for discussion at https://lists.apache.org/thread/j35clzm48s7xxc9671qogzr54bsdj1lz . If we want to take this further I'll create a JIRA issue and fill out the rest of the PR template ;).

(I haven't looked in depth at the quality of the output yet, as at this point I just wanted a starting point for experimenting with VEX)

https://issues.apache.org/jira/browse/SOLR-16796

Description

It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.

Such consumers of the SBOM should probably combine it with the VEX published for Solr (https://solr.apache.org/security.html#vex) to avoid getting reports for known false positives.

Solution

Introduce the org.cyclonedx.bom plugin which helps with generating SBOM's for the build products.

Checklist

Please review the following and check all that apply:

  • [ ] I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • [ ] I have created a Jira issue and added the issue ID to my pull request title.
  • [ ] I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
  • [ ] I have developed this patch against the main branch.
  • [ ] I have run ./gradlew check.
  • [ ] I have added tests for my changes.
  • [ ] I have added documentation for the Reference Guide

raboof avatar Nov 30 '22 16:11 raboof

@raboof I pushed a change to your PR branch that moves the logic to gradle/validation/cyclonedx-bom.gradle to match other build plugins. As far as I can tell this is a decent first step.

risdenk avatar Feb 06 '23 15:02 risdenk

@gus-asf you may find this idea interesting ;-)

epugh avatar Apr 30 '23 13:04 epugh

We should create a JIRA for this btw.

HoustonPutman avatar May 09 '23 18:05 HoustonPutman

We should create a JIRA for this btw.

Created https://issues.apache.org/jira/browse/SOLR-16796

There's probably more to improve from here, such as:

  • Generating SBOMs 'per artifact' rather than one big one for all of Solr?
  • Publishing nightly boms to https://security-tools-ec2-va.apache.org/
  • Publishing the SBOM as a release artifact

.. but this might already be a nice start.

raboof avatar Jan 15 '24 15:01 raboof

This PR had no visible activity in the past 60 days, labeling it as stale. Any new activity will remove the stale label. To attract more reviewers, please tag someone or notify the [email protected] mailing list. Thank you for your contribution!

github-actions[bot] avatar Apr 02 '24 00:04 github-actions[bot]

I'm positive to including this as a first step and then proceeding with publishing SBOM as a release artifact as proposed.

janhoy avatar Apr 29 '24 20:04 janhoy

Ok, so I've changed this to create and SBOM for each of our maven artifacts, and they are included in what will be uploaded to maven central.

So far there is no solr-wide sbom (for either the full tgz or the slim tgz), but that is kind of a nightmare to do with the cyclonedx gradle plugin. It would be much easier if we could use syft to generate an sbom from the resulting tgz(s). But maybe this is a problem to solve later and we take the first win?

HoustonPutman avatar Jun 04 '24 20:06 HoustonPutman

Thanks @HoustonPutman . I think this would be a good first step considering we've been stuck with this for a while.

anshumg avatar Jun 05 '24 07:06 anshumg