-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Native Image SBOM Generation #623
base: master
Are you sure you want to change the base?
Conversation
Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application. When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated. If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public. |
@@ -45,7 +45,8 @@ import org.gradle.util.GFileUtils | |||
plugins { | |||
`java-library` | |||
groovy | |||
checkstyle | |||
// TODO: forced to remove this to allow building on my machine. Remove this before merging. | |||
// checkstyle |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are a few instances where I had to uncomment code to make it build on my machine. If anyone has resolutions for avoiding this, please let me know. In either case, they will of course be removed before merging.
@@ -101,6 +105,12 @@ public void execute() throws MojoExecutionException { | |||
maybeSetMainClassFromPlugin(this::consumeConfigurationNodeValue, "org.apache.maven.plugins:maven-assembly-plugin", "archive", "manifest", "mainClass"); | |||
maybeSetMainClassFromPlugin(this::consumeConfigurationNodeValue, "org.apache.maven.plugins:maven-jar-plugin", "archive", "manifest", "mainClass"); | |||
maybeAddGeneratedResourcesConfig(buildArgs); | |||
|
|||
if (enableSBOM) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should also guard that the EE version of Native Image is used. What's an easy and clean way to differentiate between EE and CE from this context?
This PR extends the
native-maven-plugin
to improve the accuracy of the Software Bill of Material (SBOM) that is generated as part of Native Image builds (only available in Oracle GraalVM).The high-level approach is the following:
native-maven-plugin
invokescyclonedx-maven-plugin
to create a base SBOM.packageNames
which lists the package names of that components.--enable-sbom
.By using a COTS SBOM generator to get a base SBOM and passing extra information to Native Image which prunes it to make it more accurate, we at worst get an SBOM that conforms to industry standards and at best an SBOM that is significantly more accurate.
Future work includes:
native-gradle-plugin
.prunable=false
which instructs Native Image to not prune them or any of their transitive dependencies.