Integrate Native Image SBOM with GitHub's Dependency Submission API #119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oracle-contributor-agreement
bot
added
the
OCA Verified
|
There is one failing test which is not related to this PR: |
rudsberg
force-pushed
the
sbom-support
branch
from
a8b9f27 to
37b175a
Compare
rudsberg
force-pushed
the
sbom-support
branch
from
37b175a to
798fe47
Compare
fniephaus
approved these changes
Jan 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds support to automatically generate a highly accurate SBOM with Native Image and submit it to GitHub's dependency submission API. That enables a simple integration with all the powerful security tooling that Github provides:
The feature is activated with the option
native-image-enable-sbom. It requirescontents: writepermission and for the Dependency Graph feature to be activated (on by default for public repositories). This feature is supported for GraalVM for JDK 24 or above. It cannot be used for earlier versions since thepurlSBOM field, which the GitHub API requires, is only available in the upcoming JDK 24 release.Approach and Testing
The high-level approach for the implementation is the following:
runinmain.tscallssetUpSBOMSupportwhich appends--enable-sbom=exporttoNATIVE_IMAGE_OPTIONS. Effectively, this instructs any subsequent invocation ofnative-imageto generate an SBOM.runincleanup.tscallsprocessSBOMwhich finds the SBOM, maps the content to the format the GitHub API expects, and submits it to the API.The feature is tested with a mix of unit and integration tests:
sbom.test.tsruns unit and integration tests. The GitHub API is mocked.test.ymlis extended with a new jobsbom-testwhich builds a maven project and asserts that an SBOM is created and verifies its contents.Example
Consider the test project that the job
sbom-testuses which defines one Java class with a dependency onorg.json. After the job has executed, the GitHub dashboard is populated with vulnerability alerts underSecurity/Dependabotand the Dependency Graph underInsights/Dependency graph. Here is how theSecurity/Dependabotpage looks like:A specific vulnerability:
The
Insights/Dependency graphincludes theorg.jsoncomponent which was part of the SBOM and the dependencies picked up automatically from the manifest files: