Uploaded image for project: 'ORC'
  1. ORC
  2. ORC-1342

Publish SBOM artifacts

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.9.0, 1.8.2, 1.7.8
    • 1.8.2, 1.7.8
    • Java
    • None

    Description

      What changes were proposed in this pull request?

      This issue aims to publish `SBOM` artifacts.

      Why are the changes needed?

      Here is an article to give some context.

      Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).

      This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

      For example, `orc-core-1.9.0-SNAPSHOT-cyclonedx.json` and `orc-core-1.9.0-SNAPSHOT-cyclonedx.xml` are attached like the following.

      $ tree ~/.m2/repository/org/apache/orc/orc-core
/Users/dongjoon/.m2/repository/org/apache/orc/orc-core
├── 1.9.0-SNAPSHOT
│   ├── _remote.repositories
│   ├── maven-metadata-apache.snapshots.xml
│   ├── maven-metadata-apache.snapshots.xml.sha1
│   ├── maven-metadata-local.xml
│   ├── orc-core-1.9.0-20230103.231254-184.jar
│   ├── orc-core-1.9.0-20230103.231254-184.jar.sha1
│   ├── orc-core-1.9.0-20230103.231254-184.pom
│   ├── orc-core-1.9.0-20230103.231254-184.pom.sha1
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.json
│   ├── orc-core-1.9.0-SNAPSHOT-cyclonedx.xml
│   ├── orc-core-1.9.0-SNAPSHOT-nohive.jar
│   ├── orc-core-1.9.0-SNAPSHOT-shaded-protobuf.jar
│   ├── orc-core-1.9.0-SNAPSHOT-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-test-sources.jar
│   ├── orc-core-1.9.0-SNAPSHOT-tests.jar
│   ├── orc-core-1.9.0-SNAPSHOT.jar
│   ├── orc-core-1.9.0-SNAPSHOT.pom
│   └── resolver-status.properties
└── maven-metadata-local.xml

      Attachments

        Issue Links

          is related to

          Sub-task - The sub-task of the issue AVRO-3700 Publish Java SBOM artifacts with CycloneDX

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. PARQUET-2224 Publish SBOM artifacts

          • Major - Major loss of function.
          • Resolved
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. FLINK-30578 Publish SBOM artifacts

          • Major - Major loss of function.
          • In Progress

          Improvement - An improvement or enhancement to an existing feature or task. SPARK-41893 Publish SBOM artifacts

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #1353

          Web Link GitHub Pull Request #1363

          Activity

            People

              dongjoon Dongjoon Hyun
              dongjoon Dongjoon Hyun
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: