Uploaded image for project: 'ORC'
  1. ORC
  2. ORC-1342

Publish SBOM artifacts

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.9.0, 1.8.2, 1.7.8
    • 1.8.2, 1.7.8
    • Java
    • None

    Description

      What changes were proposed in this pull request?

      This issue aims to publish `SBOM` artifacts.

      Why are the changes needed?

      Here is an article to give some context.

      Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).

      This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

      For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following.

      $ tree ~/.m2/repository/org/apache/orc/orc-core
      /Users/dongjoon/.m2/repository/org/apache/orc/orc-core
      ├── 1.9.0-SNAPSHOT
      │   ├── _remote.repositories
      │   ├── maven-metadata-apache.snapshots.xml
      │   ├── maven-metadata-apache.snapshots.xml.sha1
      │   ├── maven-metadata-local.xml
      │   ├── orc-core-1.9.0-20230103.231254-184.jar
      │   ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
      │   ├── orc-core-1.9.0-20230103.231254-184.pom
      │   ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
      │   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
      │   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
      │   ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
      │   ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
      │   ├── orc-core-1.9.0-SNAPSHOT-sources.jar
      │   ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
      │   ├── orc-core-1.9.0-SNAPSHOT-tests.jar
      │   ├── orc-core-1.9.0-SNAPSHOT.jar
      │   ├── orc-core-1.9.0-SNAPSHOT.pom
      │   └── resolver-status.properties
      └── maven-metadata-local.xml
      

      Attachments

        Issue Links

          Activity

            People

              dongjoon Dongjoon Hyun
              dongjoon Dongjoon Hyun
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: