-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ability to use cyclonedx-maven-plugin #334
Comments
There are plans to add consistent support for CycloneDX output, although it's a low priority at the moment. The implementation would be through The trouble with using a Maven plugin is that it only works for Maven & we have to support other build tools as well. We also want to provide a consistent prerequisite-free user experience (i.e. we don't want to require users to install certain Maven plugins). That said, I wouldn't be opposed to adding an opt-in way for tools to contribute to the SBOM generation process and/or a way for the buildpack to back off and not overwrite tool-generated files. I would also suggest you reach out to the syft community. If there is missing metadata, perhaps it can be added through syft. We run the tool against your source code, so it has full access to your pom.xml and everything Maven does. It's just a matter of the tool digging that information out. |
Currently wondering if the pom cataloger would already improve the sbom quality? Or if not, whether the potential to configure |
Independently, I like the idea of defaulting to a |
In the past when this was reported the pom cataloger did a poor job of understanding transitive dependencies managed by a parent pom or a bom added to dependency management. This resulted in the wrong version being reported or missing dependencies. This might have changed since that time. The cyclonedx maven plugin has full access to the resolved dependency graph that maven executes off. This gives access to accurate license information, project source urls and checksums on all dependencies. Syft does not have access to this rich data set. |
Thanks @xyloman. I tend to agree with @dmikusa though, that injecting plugins into the build system could turn out to be messy and hard to understand magic. |
cdxgen might help with that messy outcome but ensure an accurate SBOM. I have concerns with accuracy issues out of the box that the user would be in aware of. I disagree that running the plugin specifically via the mnw is not messy and is a common pattern in other build systems like GitHub actions and Jenkins jobs. It helps devs avoid adding plugins to their projects that are really only a concern of Platform Engineering. |
I moved this to the Maven repo, as this discussion seems Maven-specific. We might be able to implement something Maven-specific, but I'd really rather see things consistent across build tools.
I still want to make this all pluggable, so if you don't like |
I don't think that we have to blindly report it as correct @dmikusa. CycloneDX has some capabilities to provide sbom provenance I believe - didn't really read about it, but |
@loewenstein I believe you're correct that a developer that's putting effort into generating their own SBOM can put out a more accurate SBOM than what we can do with automatic scanning. The automatic scanners will only get you so far, they all have their faults. That said, I still don't think we should include what the developer or any external entity generates in the image as if buildpacks generated it. If you're getting it from Maybe if there is a very, very clear way to show that some part of the SBOM is generated externally we could include it, but even then I still think it's better done some other way, external to what buildpacks are doing. I suppose if you really wanted to have your SBOM included in with buildpack SBOM data then you could create your own "External SBOM" buildpack, take in the external file, and then include that as the SBOM for that buildpack. |
The most accurate way to generate an SBOM is to use the build system to do so. The cyclonedx-maven-plugin provides the most robust and accurate cyclonedx SBOM for a maven project. There is similar capabilities in the gradle ecosystem. The issue here is a desire to balance an ecosystem concern with an accuracy concern. My proposal has been to tackle the accuracy concern because the ecosystem has provided a clear answer use the build system maven/gradle to generate the SBOM if accuracy is your biggest concern. In future versions of Spring Boot the maintainers have decided that if a plugin such as cyclonedx-maven-plugin is included in the pom.xml then the sbom generated by it will be picked and exposed via the SBOM accutator endpoint. If buildpacks leverage a different mechanism (e.g. syft) then the app will present a different SBOM than the SBOM returned by buildpacks. I am advocating that buildpacks should allow the buildsystem to contribute an SBOM. If the SBOM is placed in a well known location, leverage it over syft. |
@xyloman So I'd like this to eventually be pluggable so people can choose their SBOM provider. There's nothing particular about Syft, aside from that's where we started. I've heard a little about what Spring Boot is doing with SBOM and it looks cool. We'll have to discuss how that specifically is integrated, or if we do. Since it's available through Actuator, you don't really need it available in the buildpacks layers too. I do agree that having it plus the buildpack's Syft (or another tool) generated SBOM, which could be different, would be confusing. So we'll have to sort that out, maybe we just turn off SBOM generation if Spring's going to do it. My question for you would be, does it matter how you get the SBOM information? If it's in the image and you can get it from Actuator or if it's in the image and you run I'm also curious how you verify your SBOM to make sure it hasn't been altered. Do you sign them with some tool? If so, what tool? Thanks! |
@dmikusa Yeah, I think the ability to suppress an SBoM for user provided code is the minimum that we have to provide - maybe you are right and there's no need to inject it into the image though. |
Currently, Syft is used to generate SBOMs. The fidelity of the resulting SBOM is very low. It does not contain provenance information of included dependencies. This information is typically included in the case of CycloneDX when leveraging the CycloneDX maven plugin as a part of the build. Maven plugins usually have access to the entire dependency graph during build time which means the SBOM contains information that can only be discovered during build time:
Describe the Enhancement
Allow a maven build to contribute a CycloneDX document generated during build time.
Possible Solution
Java buildpack could discover a file such as
${project.artifactId}-${project.version}-cyclonedx.xml
or${project.artifactId}-${project.version}-cyclonedx.json
and include it in the resulting cnb-sboms layer.Motivation
CycloneDX documents generated during the maven build process will have access to more information about dependencies that can be fed into the bill of material CycloneDX document.
The text was updated successfully, but these errors were encountered: