JSTEP-14: Generate, publish SBOMs for Jackson components #85
Replies: 6 comments 7 replies
-
|
/cc @JooHyukKim @pjfanning @yawkat @k163377 @sdeleuze @stevenschlansker |
Beta Was this translation helpful? Give feedback.
-
|
Relevant example(s): Classifier used: |
Beta Was this translation helpful? Give feedback.
-
|
Here's another datapoint from the Spring Boot project. The <plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>generate-resources</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
<configuration>
<projectType>application</projectType>
<outputDirectory>${project.build.outputDirectory}/META-INF/sbom</outputDirectory>
<outputFormat>json</outputFormat>
<outputName>application.cdx</outputName>
</configuration>
</execution>
</executions>
</plugin>This might not be 100% applicable to you, as you have a library while users typically create a Spring Boot application. That's why, by default, we name it If you use the SBOM feature from native-image, the SBOM is created under |
Beta Was this translation helpful? Give feedback.
-
|
All repos updated now: since "classifier" comes from parent pom ( |
Beta Was this translation helpful? Give feedback.
-
|
Publishing worked in 3.0.0-rc4, but broken in 3.0.0-rc5 due to changes (somehow) wrt Sonatype Central publishing: artifacts are generated but not uploaded, it seems. |
Beta Was this translation helpful? Give feedback.
-
|
NOTE: publishing fixed (via FasterXML/jackson-databind#5361) for 2.21 and 3.1. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I created https://github.com/FasterXML/jackson-future-ideas/wiki/JSTEP-14 to propose publishing SBOM artifacts for (all) Jackson components.
Mechanism itself looks simple, using
cyclonedx-maven-pluginMaven plug-in as part of build process; attaching artifacts so they will also be published to Maven Central.(note: this is one of 2 existing SBOM standards; seemingly more mature).
WDYT? One practical question is just Maven "classifier" to use -- we probably want to follow de facto standard whatever it is (default of "cyclonedx" may not be it).
EDIT: Initial choice for classifer:
sbom-cyclonedx.Beta Was this translation helpful? Give feedback.
All reactions