-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate an SBOM #960
Comments
@gastaldi do you happen to have some standardized way of generating an SBOM for Quarkiverse projects? |
@ppalaga no. I know @aloubyansky did some work to generate those, but I haven't checked yet. As a side note, GitHub has a feature to export SBOMs from the UI: https://github.blog/2023-03-28-introducing-self-service-sboms/#whats-changing |
|
Which mojo does that? I could not find anything quickly in https://github.com/quarkusio/quarkus-platform-bom-generator |
I think the profile is here: https://github.com/quarkusio/quarkus-platform/blob/main/pom.xml#L775C18-L799 |
I was rather looking for the source of the mojo generating the SBOM to figure out whether it can be used inside quarkus-cxf |
It depends on what you expect to be captured in an SBOM. But generally, I think we can make it work. |
I have no precise expectations. The main questions I have are:
|
It depends on what the consumer of the SBOM is expecting to find in it. It's about supply chain story and depends on how much details of that store you want to capture. Build tools are certainly a part of it but again it depends on how much detail you are after. From the Quarkus platform perspective, I'd agree with you, from the perspective of CVE tracking and fixing, generating an SBOM per "deliverable" makes sense and is what we should do. However, this is not exactly how it is currently done in the Quarkus platform, we are still recording complete dependency trees in the SBOMs we generate for platform members. I need to fix this. |
The main use case is scanning for CVEs in quarkus-cxf and its transitives minus stuff pulled via Quarkus.
What needs to be excluded from the complete dependency trees from your PoV? |
Components (Maven artifacts) that come from Quarkus itself. |
No description provided.
The text was updated successfully, but these errors were encountered: