If you don't use the sbom profile this won't be generated and won't be updated
Il mer 25 gen 2023, 11:44 Andrea Cosentino <anco...@gmail.com> ha scritto: > There is an action running every night. We could for example run it once a > week. > > The only way to enable the generation is through a profile. Sometimes I do > myself, but in general it should be only the action. > > This kind of information should be tracked regularly, only at release time > makes probably less sense. > > I fixed a bunch of deps based on some feedback i have from the sbom. > > We can use a time frame a bit more bigger, like once a week and avoid > committing when checking locally. I don't think it would be a problem for > bisecting. Only camel-sbom folder is affected from the updates... > > I can put once a week if it's better > > Il mer 25 gen 2023, 11:38 Otavio Rodolfo Piske <angusyo...@gmail.com> ha > scritto: > >> Thanks Andrea, this looks really good. >> >> My only comment / concern is regarding how we are generating it. >> >> Would it be possible/feasible to generate this only as part of the release >> process? Or, optionally, by manually invoking a plugin? One concern that I >> have is that we are currently generating it whenever we update the >> dependencies and then committing it. >> >> This generates a lot of bogus commits of which - IMHO - we already have >> too >> much. This is becoming a problem to automate bisecting and back trace >> problems (but that's a separate discussion). >> >> What do you think? >> >> Kind regards >> >> On Thu, Jan 19, 2023 at 12:46 PM Andrea Cosentino <anco...@gmail.com> >> wrote: >> >> > Hello, >> > >> > Essentially is enough to run a maven install. >> > >> > mvn install -DskipTests -Psbom >> > >> > The aggregate sbom will be in target folder at root level. >> > >> > We could tune it and find a way to automatize this, for example through >> a >> > gh action. >> > >> > >> > >> > Il giorno gio 19 gen 2023 alle ore 12:43 Claus Ibsen < >> > claus.ib...@gmail.com> >> > ha scritto: >> > >> > > Hi Andrea >> > > >> > > How do you generate the sbom file? What command do you run from the >> root >> > > folder of Camel source code? >> > > And should we have this documented somewhere. >> > > >> > > On Thu, Jan 19, 2023 at 11:42 AM Andrea Cosentino <anco...@gmail.com> >> > > wrote: >> > > >> > > > Hello, >> > > > >> > > > Moving to Camel 4.x I think it's time to have a look at SBOM >> generation >> > > and >> > > > so on. >> > > > >> > > > I added a profile named sbom to the root POM. >> > > > >> > > > It will generate two files in the target folder camel-sbom.json and >> > > > camel-sbom.xml. >> > > > >> > > > For the moment I choose to copy them in camel-sbom folder manually, >> so >> > we >> > > > can do the generation time-based (like one a week or something like >> > > that). >> > > > >> > > > This SBOM files could be used to check if we are healthy or not in >> > terms >> > > of >> > > > dependency used. >> > > > >> > > > I think we should try to use this kind of information as standard, >> > there >> > > > are multiple tools we could use to leverage the SBOM generation. >> > > > >> > > > For any questions let's discuss here :-) >> > > > >> > > > Thanks. >> > > > >> > > >> > > >> > > -- >> > > Claus Ibsen >> > > ----------------- >> > > @davsclaus >> > > Camel in Action 2: https://www.manning.com/ibsen2 >> > > >> > >> >> >> -- >> Otavio R. Piske >> http://orpiske.net >> >
