quarkus-cxf icon indicating copy to clipboard operation
quarkus-cxf copied to clipboard

Published 20 hours ago verified publisher icon quarkiverse

Generate an SBOM

Open ppalaga opened this issue 1 year ago • 11 comments

ppalaga avatar Aug 14 '23 15:08 ppalaga

@gastaldi do you happen to have some standardized way of generating an SBOM for Quarkiverse projects?

ppalaga avatar Aug 16 '23 14:08 ppalaga

@ppalaga no. I know @aloubyansky did some work to generate those, but I haven't checked yet.

As a side note, GitHub has a feature to export SBOMs from the UI: https://github.blog/2023-03-28-introducing-self-service-sboms/#whats-changing

gastaldi avatar Aug 16 '23 14:08 gastaldi

./mvnw -Psbom from the platform project generates SBOMs for all the members.

aloubyansky avatar Aug 16 '23 14:08 aloubyansky

./mvnw -Psbom from the platform project generates SBOMs for all the members.

Which mojo does that? I could not find anything quickly in https://github.com/quarkusio/quarkus-platform-bom-generator I wonder if the mojo is general enough and would work for Quarkus CXF as well?

ppalaga avatar Aug 16 '23 15:08 ppalaga

I think the profile is here: https://github.com/quarkusio/quarkus-platform/blob/main/pom.xml#L775C18-L799

gastaldi avatar Aug 16 '23 15:08 gastaldi

I think the profile is here: https://github.com/quarkusio/quarkus-platform/blob/main/pom.xml#L775C18-L799

I was rather looking for the source of the mojo generating the SBOM to figure out whether it can be used inside quarkus-cxf

ppalaga avatar Aug 16 '23 16:08 ppalaga

It depends on what you expect to be captured in an SBOM. But generally, I think we can make it work.

aloubyansky avatar Aug 16 '23 20:08 aloubyansky

I have no precise expectations. The main questions I have are:

  1. Should maven plugins and other build related artifacts be a part of the SBOM? I was a bit surprised to see them in https://github.com/quarkiverse/quarkus-cxf/network/dependencies?q=plugin I guess no, but in that case, the GH SBOM export is rather useless.
  2. Should Quarkus CXF SBOM include quarkus artifacts and their transitives? I'd say no - is that also your opinion @aloubyansky?

ppalaga avatar Aug 16 '23 20:08 ppalaga

It depends on what the consumer of the SBOM is expecting to find in it. It's about supply chain story and depends on how much details of that store you want to capture. Build tools are certainly a part of it but again it depends on how much detail you are after.

From the Quarkus platform perspective, I'd agree with you, from the perspective of CVE tracking and fixing, generating an SBOM per "deliverable" makes sense and is what we should do. However, this is not exactly how it is currently done in the Quarkus platform, we are still recording complete dependency trees in the SBOMs we generate for platform members. I need to fix this.

aloubyansky avatar Aug 16 '23 20:08 aloubyansky

The main use case is scanning for CVEs in quarkus-cxf and its transitives minus stuff pulled via Quarkus.

we are still recording complete dependency trees in the SBOMs we generate for platform members. I need to fix this.

What needs to be excluded from the complete dependency trees from your PoV?

ppalaga avatar Aug 16 '23 21:08 ppalaga

Components (Maven artifacts) that come from Quarkus itself.

aloubyansky avatar Aug 17 '23 07:08 aloubyansky