Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Native Image SBOM Generation #623

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Improve Native Image SBOM Generation #623

wants to merge 1 commit into from

Conversation

rudsberg
Copy link

@rudsberg rudsberg commented Sep 13, 2024
edited
Loading

This PR extends the native-maven-plugin to improve the accuracy of the Software Bill of Material (SBOM) that is generated as part of Native Image builds (only available in Oracle GraalVM).

The high-level approach is the following:

  • The native-maven-plugin invokes cyclonedx-maven-plugin to create a base SBOM.
  • The components of the base SBOM are augmented with new fields, foremost packageNames which lists the package names of that components.
  • The SBOM is stored at a known location and is handed over to Native Image.
  • Only in Native Image: Components and dependencies are pruned whenever possible as determined by the Native Image static analysis. Native Image relies on the augmented fields to map an identified type to its component.
  • Only in Native Image: The final SBOM is saved according to the arguments passed to --enable-sbom.

By using a COTS SBOM generator to get a base SBOM and passing extra information to Native Image which prunes it to make it more accurate, we at worst get an SBOM that conforms to industry standards and at best an SBOM that is significantly more accurate.

Future work includes:

  • Adding similar support for the native-gradle-plugin.
  • Attempting to resolve the packageNames for shaded dependencies similar as is currently done for the main artifact. Currently, shaded dependencies are marked as prunable=false which instructs Native Image to not prune them or any of their transitive dependencies.

@oracle-contributor-agreement Oracle Contributor Agreement
Copy link

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
The following contributors of this PR have not signed the OCA:

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Required At least one contributor does not have an approved Oracle Contributor Agreement. label Sep 13, 2024
rudsberg
rudsberg commented Sep 13, 2024
View reviewed changes
native-maven-plugin/build.gradle.kts
@@ -45,7 +45,8 @@ import org.gradle.util.GFileUtils
plugins {
`java-library`
groovy
checkstyle
// TODO: forced to remove this to allow building on my machine. Remove this before merging.
// checkstyle
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few instances where I had to uncomment code to make it build on my machine. If anyone has resolutions for avoiding this, please let me know. In either case, they will of course be removed before merging.

@oracle-contributor-agreement oracle-contributor-agreement bot added OCA Verified All contributors have signed the Oracle Contributor Agreement. and removed OCA Required At least one contributor does not have an approved Oracle Contributor Agreement. labels Sep 16, 2024
rudsberg
rudsberg commented Sep 16, 2024
View reviewed changes
native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/NativeCompileNoForkMojo.java
@@ -101,6 +105,12 @@ public void execute() throws MojoExecutionException {
maybeSetMainClassFromPlugin(this::consumeConfigurationNodeValue, "org.apache.maven.plugins:maven-assembly-plugin", "archive", "manifest", "mainClass");
maybeSetMainClassFromPlugin(this::consumeConfigurationNodeValue, "org.apache.maven.plugins:maven-jar-plugin", "archive", "manifest", "mainClass");
maybeAddGeneratedResourcesConfig(buildArgs);

if (enableSBOM) {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should also guard that the EE version of Native Image is used. What's an easy and clean way to differentiate between EE and CE from this context?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@melix melix Awaiting requested review from melix

@dnestoro dnestoro Awaiting requested review from dnestoro

@matneu matneu Awaiting requested review from matneu

@fniephaus fniephaus Awaiting requested review from fniephaus

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rudsberg