mat icon indicating copy to clipboard operation
mat copied to clipboard

Published 20 hours ago verified publisher icon eclipse-mat

Generate dependency information / SBOM as part of the MAT build

Open eclipsewebmaster opened this issue 9 months ago • 20 comments

| --- | --- | | Bugzilla Link | 582480 | | Status | ASSIGNED | | Importance | P3 normal | | Reported | Sep 27, 2023 08:00 EDT | | Modified | Nov 09, 2023 04:40 EDT | | Version | 1.14 | | Reporter | Krum Tsvetkov |

Description

The topic of SBOMs was mentioned on the dev mailing list. I see various aspects and have at present no good idea about the solution, but would use the bug to keep the discussions / ideas.

Removal of IP Logs - the changes introduced last year https://www.eclipse.org/projects/handbook/#ip-history projects are not required to submit IP Logs, but to provide SBOMs. AFAIU there is still no standard way for this. For our last release I used the https://github.com/eclipse/dash-licenses tool and manually checked the report that all listed dependencies are approved. Generating this information can be done as part of the build, and for me this would be the first step.
I still wonder what to do with the information once it is generated. There is an option to fail the build. I haven't tried this one (we use only approved libs), but I intend to add a dependency to something not-approved and see what the effect is.
So far I only did some checks that the plugins I find in the standalone MAT package are all part of the generated dependency list (they are indeed a subset of it, the generated list contains more).

The second aspect is providing an SBOM as part of ...

  • well the first question for me is "as part of what?" The source repository? The downloadable packages?
  • in what format? The licensce tool generates a txt file, there is also the "mvn dependency:tree" described, and there are formats expected to be standardized. Here some references:
    • Wayne's blog on using dash-license in maven: https://blog.waynebeaton.ca/posts/ip/dash-license-tool-maven-reactor/
    • CycloneDX maven plugin: https://github.com/CycloneDX/cyclonedx-maven-plugin

I guess the best would be to find another Eclipse project which does this and mimic their setup. Any idea of a concrete project to look at?

eclipsewebmaster avatar May 08 '24 20:05 eclipsewebmaster