Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOM during build/release process #5948

Closed
wants to merge 9 commits into from
Closed

Generate SBOM during build/release process #5948

wants to merge 9 commits into from

Conversation

tylerbenson
Copy link
Member

@tylerbenson tylerbenson commented Oct 30, 2023
edited
Loading

This has been requested by customers to enable better security practices.

Adds the spdx-gradle-plugin and the cyclonedx-gradle-plugin to published projects to generate SBOM files for the build.

When run in a build job, the various generated SBOMs are collected into SBOM.zip and uploaded as a build artifact . When run as a release, it will also upload the SBOM to the github release.

The release part has been verified: https://github.com/tylerbenson/opentelemetry-java/releases/tag/v1.37.0
(Notice the SBOM.zip file attached. This was done automatically by the workflow.)

The SBOM's are also attached to the publication so they are individually uploaded to Maven Central as part of the release process. This process was verified with the publishToMavenLocal task.

Related links:

@codecov
Copy link

codecov bot commented Oct 30, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.05%. Comparing base (97609a9) to head (8293786).
Report is 18 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #5948      +/-   ##
============================================
+ Coverage     91.03%   91.05%   +0.01%     
- Complexity     5714     5732      +18     
============================================
  Files           622      625       +3     
  Lines         16733    16748      +15     
  Branches       1711     1713       +2     
============================================
+ Hits          15233    15250      +17     
+ Misses         1007     1003       -4     
- Partials        493      495       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tylerbenson tylerbenson changed the title Add SBOM action to build/release process. Generate SBOM during build/release process Oct 30, 2023
@tylerbenson tylerbenson marked this pull request as ready for review October 31, 2023 15:01
@tylerbenson tylerbenson requested a review from a team October 31, 2023 15:01
@trask
Copy link
Member

trask commented Oct 31, 2023

is it typical for SBOM to contain everything that was used across the whole repository as opposed to being scoped to specific published artifacts (e.g. SBOM for opentelemetry-api)?

@tylerbenson
Copy link
Member Author

@trask I think being overly thorough is fine as long as those extra dependencies aren't too noisy from a vulnerability perspective. Having this is better than the current state of having nothing. Later on if the extra dependencies are problematic we can explore how to filter them out with additional configuration.

@jack-berg
Copy link
Member

Talked about this in the 11/2 Java SIG. Discussed that it would be good to understand how folks typically use SBOMs to ensure that what we produce matches expectations. Maybe @open-telemetry/sig-security-maintainers can chime in with some document on SBOMs to help maintainers come up to speed?

@cartersocha
Copy link

We're going to have some SBOM experts come present to the maintainers call post KubeCon

@jack-berg
Copy link
Member

Questions about this PR that came up during the maintainers meeting:

  • Does the SBOM contain only the dependencies which are bundled, or also transitive dependencies which the user technically brings in? Should probably only include dependencies which are bundled, which is essentially none for most of the artifacts in this repo.
  • Is there one SBOM that describes all artifacts, or one SBOM per artifact? My interpretation is that either could be acceptable, but one SBOM per artifact is probably preferable so we can publish each to maven central along side the artifact jar.
  • How to publish? Should probably be published to maven central along with each artifact. Also, it sounds like there is a requirement to publish with the github release. Can bundle together in an archive to prevent attaching 1 file per artifact.

@codeboten codeboten mentioned this pull request Nov 15, 2023
Open
@tylerbenson tylerbenson force-pushed the tyler/generate-sbom branch 3 times, most recently from e20b7e5 to 4d6d74a Compare January 18, 2024 22:32
tylerbenson and others added 4 commits March 11, 2024 16:44
@tylerbenson
Add SBOM action to build/release process.
eddc165 
This has been requested by customers to enable better security practices.

When run in a build job, it uploads the generated SBOM as a build artifact `opentelemetry-java-build.spdx.json`.
When run as a release, it will also upload the SBOM to the github release.

I tested the build part on a different repo, but didn't verify the release part.
@tylerbenson
Generate cyclonedx-json format SBOM too
6ca84ae
@tylerbenson
Add SPDX SBOM gradle plugin
7b75d4e 
Execute task on `assemble` and upload results as github build artifact
@tylerbenson
Populate document namespace and github repo
e9946eb
@tylerbenson tylerbenson force-pushed the tyler/generate-sbom branch from 4d6d74a to e9946eb Compare March 11, 2024 20:44
@tylerbenson tylerbenson marked this pull request as draft March 13, 2024 16:03
@tylerbenson tylerbenson force-pushed the tyler/generate-sbom branch from 71b43db to 56f4683 Compare March 13, 2024 20:44
@tylerbenson tylerbenson marked this pull request as ready for review March 13, 2024 22:03
@tylerbenson tylerbenson force-pushed the tyler/generate-sbom branch from f17e0a6 to 19ea419 Compare March 22, 2024 19:20
jack-berg
jack-berg reviewed Mar 25, 2024
View reviewed changes
.github/workflows/release.yml
find . -path ./sboms -prune -o -name "*.cyclonedx.json" -exec mv {} ./sboms/ \;
find . -path ./sboms -prune -o -name "*.spdx.json" -exec mv {} ./sboms/ \;
zip SBOM.zip sboms/*
cp SBOM.zip /tmp/
Copy link
Member

@jack-berg jack-berg Mar 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that the boms are part of the maven publication, do we actually need to publish them as *.zip?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to have a way to gather SBOM's consistently within OTel. This way folks don't have to check NPM, Maven, etc to evaluate SBOM's across OTel.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 seems reasonable to me. @open-telemetry/sig-security-maintainers can we codify this advice somewhere?

@jack-berg
Copy link
Member

Can you update the PR description to reflect the current status with publishing both spdx and cyclonedx formats, and publishing them as artifacts to maven?

jack-berg
jack-berg approved these changes Mar 26, 2024
View reviewed changes
Copy link
Member

@jack-berg jack-berg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added an item to the 3/28/24 java SIG to discuss the merits of publishing both spdx and cyclonedx, but this looks good to me. Thanks @tylerbenson

@trask
Copy link
Member

trask commented Mar 26, 2024

Added an item to the 3/28/24 java SIG to discuss the merits of publishing both spdx and cyclonedx

can we get official guidance published somewhere by @open-telemetry/sig-security-maintainers? I suspect we would just follow their recommendation?

@jack-berg
Copy link
Member

Discussed in the 4/4/24 SIG meeting. We're going to delay until we here back from the security SIG on whether publishing SBOMs for libraries is relevant / useful.

@tylerbenson tylerbenson marked this pull request as draft April 4, 2024 18:39
@cartersocha
Copy link

Here's a link to our SBOM guidance. I'll provide an update in the next maintainer call.

After consulting with some OpenSSF contributors we determined SBOMs are not material for SDKs / APIs but are for things like auto-instrumentation agents or other components.

We can close this PR and will open a similar one for the Java agent.

@jack-berg jack-berg closed this Apr 8, 2024
@tylerbenson
Copy link
Member Author

PR on the java instrumentation side:
open-telemetry/opentelemetry-java-instrumentation#11075

@tylerbenson tylerbenson mentioned this pull request Apr 24, 2024
Merged
@tylerbenson tylerbenson deleted the tyler/generate-sbom branch May 22, 2024 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinkuba martinkuba martinkuba left review comments

@mattcobb mattcobb mattcobb left review comments

@jack-berg jack-berg jack-berg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tylerbenson @trask @jack-berg @cartersocha @mattcobb @martinkuba