-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CycloneDX SBOM in artifacts #24
CycloneDX SBOM in artifacts #24
Conversation
a308488
to
008d5c7
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #24 +/- ##
==========================================
- Coverage 48.61% 48.57% -0.05%
==========================================
Files 31 31
Lines 10879 10866 -13
==========================================
- Hits 5289 5278 -11
+ Misses 5590 5588 -2 ☔ View full report in Codecov by Sentry. |
14547da
to
d29f409
Compare
@@ -126,26 +115,28 @@ jobs: | |||
working-directory: ${{github.workspace}}/ | |||
run: | | |||
which cross || cargo install cross | |||
cargo install cargo-license cargo-cyclonedx | |||
pip install "git+https://github.com/eclipse-kuksa/kuksa-common.git@6f3d7627760582d8ba83cc8a0f7449d00fffee84#subdirectory=sbom-tools" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be a nice to long term ambition to publish "kuksa-sbom-tools" as pypi package ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes. Or at least tag it. But for now, it being an internal tools that might still change, I think using hash is ok
licensecuration.yaml
Outdated
expressions: | ||
# LLVM exception not relevant for the project, thus in situation | ||
# like this we choose to use vanilla Apache-2.0 terms | ||
"Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT": "Apache-2.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mikehaller - we discussed license curation some time ago, could be interesting to check if this curation file is considered by our internal scanning tools.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually this could also be expressed in ORT, see the .ort curations (not migrated) in the old repository: https://github.com/eclipse/kuksa.val/blob/master/.ort.yml
But not sure what you ate trying to use internally. I remember, that ORT somehow did not allow generic (if A OR B always choose A) kind of rules, but instead it needed to be add for any identified package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm I stand corrected. It CAN express general rules. Anyway, as you see there were a lot more "package specific" curations needed for some reason. But anyway, different topic maybe :D
General comments:
I believe this change will break the https://github.com/boschglobal/kuksa-databroker/blob/feature/cyclonedx-sbom/.github/workflows/create_draft_release.yml. Hopefully not if we use latest kuksa-action dash version. Anyway, should better be tested. Adding @lukasmittag and @argerus as reviewers, so that they are aware of the upcoming change and can protest, if needed |
3c4b189
to
571461e
Compare
5d5a207
to
f47b340
Compare
Interesting. I only did observe this with cross, thus I used the "which pattern" I found in the workflows here. I could use the same pattern for the other cargo tools, but question: Would we risk of running with "arbitrarily" old version for a long time, and once github throws cache suddenly get a new one? Is there any way to always "upgrade" to a new stable version, if it exists? I think "--force" would always reinstall, that would work, but cost time... |
As @argerus said, that is not the root cause, but has been fixed meanwhile |
I got the impression that an error no longer shall be given upon reinstall based on the discussion in rust-lang/cargo#6727. When running cargo install locally I do not get any error when trying to install cargo-license even if it is already there
|
I did some more tests on the
References: |
@erikbosch I just googled the same :D Will try. Still trying to move things.... |
66df0f4
to
bd9d8f6
Compare
Moved all the scripts now, and (hopefully) fixed the cargo install issues @erikbosch I also moved the prepare_release.sh script and tried to "blindly" fix it, so please take a look it is doing, what you expect. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create Draft Release works now
https://github.com/boschglobal/kuksa-databroker/actions/workflows/create_draft_release.yml
thanks for testing @erikbosch , will make some minor adjustments tomorrow, and maybe solve the target caching problem. I just think we really, really NEED correct(er), better standard compliant SBOMS, even though this now feels like refactoring whole build 🗡️ Well, as long as stuff gets better.... |
Signed-off-by: Sebastian Schildt <[email protected]>
bd9d8f6
to
6605ce3
Compare
Signed-off-by: Sebastian Schildt <[email protected]>
6605ce3
to
a0323b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The release script works, tested at https://github.com/boschglobal/kuksa-databroker/releases
working-directory: ${{github.workspace}}/ | ||
working-directory: ${{github.workspace}} | ||
env: | ||
KUKSA_DATABROKER_FEATURES: databroker/viss,databroker/tls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any particular reason for specifying features using databroker/viss
and databroker/tls
instead of the more common short form viss
and tls
?
|
||
|
||
# Check if a certain feature set was requested | ||
if [ -z "$KUKSA_DATABROKERCLI_FEATURES" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's more consistent to use *_DATABROKER_CLI_*
as environment variable prefix as the name is databroker-cli
and not databrokercli
.
if [ -z "$KUKSA_DATABROKERCLI_FEATURES" ]; then | |
if [ -z "$KUKSA_DATABROKER_CLI_FEATURES" ]; then |
cargo install cargo-license cargo-cyclonedx | ||
pip install "git+https://github.com/eclipse-kuksa/kuksa-common.git@6f3d7627760582d8ba83cc8a0f7449d00fffee84#subdirectory=sbom-tools" | ||
- name: Build | ||
working-directory: ${{github.workspace}}/ | ||
env: | ||
KUKSA_DATABROKERCLI_SBOM: y | ||
run: | | ||
./build-databroker-cli.sh ${{ matrix.platform.name }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would appreciate tif this to be merged now. This is quite large now, and the thing we NEED is sboms. Nothing against optimising it further (maybe make tickets), but we should move forward so I (or someone) don't need to port over all this stuff again in some weeks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good enough, lets follow up in other PRs if needed
Any objections to merging @argerus? @SebastianSchildt - I approved but I believe you have to make sure that John approves or alternatively that you dismiss his review to be able to merge |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would appreciate tif this to be merged now. This is quite large now, and the thing we NEED is sboms.
Nothing against optimising it further (maybe make tickets), but we should move forward so I (or someone) don't need to port over all this stuff again in some weeks
Sure. But, as I understand it, we already generate a Software Bill Of Materials. This is a different (more correct?) way of doing it.
But it makes the compilation step take ~2x longer (?) which I think is not warranted. That should be restored in a different PR then I guess.
Ported and improved version of from eclipse/kuksa.val#756
Main change in generated artifacts:
Creates and includes CycloneDX Software Bill of Materials (SBOM) for the databroker. This helps with compliance using kuksa in a commercial context, and is generally also one of the accepted formats fulfilling EU CRA SBOM requirements
"Collateral improvements"