Hello, Thanks! Yeah, I think updating it weekly should help!
Obs.: The problem with these commits is that they increase the time to run bisect. So, sometimes when bisecting, my build machines waste several minutes (sometimes hours) building Camel because those commits get in the way of the bisect path. But, I think it's a separate discussion and something we can improve in the future. Kind regards On Wed, Jan 25, 2023 at 11:51 AM Andrea Cosentino <anco...@gmail.com> wrote: > If you don't use the sbom profile this won't be generated and won't be > updated > > Il mer 25 gen 2023, 11:44 Andrea Cosentino <anco...@gmail.com> ha scritto: > > > There is an action running every night. We could for example run it once > a > > week. > > > > The only way to enable the generation is through a profile. Sometimes I > do > > myself, but in general it should be only the action. > > > > This kind of information should be tracked regularly, only at release > time > > makes probably less sense. > > > > I fixed a bunch of deps based on some feedback i have from the sbom. > > > > We can use a time frame a bit more bigger, like once a week and avoid > > committing when checking locally. I don't think it would be a problem for > > bisecting. Only camel-sbom folder is affected from the updates... > > > > I can put once a week if it's better > > > > Il mer 25 gen 2023, 11:38 Otavio Rodolfo Piske <angusyo...@gmail.com> ha > > scritto: > > > >> Thanks Andrea, this looks really good. > >> > >> My only comment / concern is regarding how we are generating it. > >> > >> Would it be possible/feasible to generate this only as part of the > release > >> process? Or, optionally, by manually invoking a plugin? One concern > that I > >> have is that we are currently generating it whenever we update the > >> dependencies and then committing it. > >> > >> This generates a lot of bogus commits of which - IMHO - we already have > >> too > >> much. This is becoming a problem to automate bisecting and back trace > >> problems (but that's a separate discussion). > >> > >> What do you think? > >> > >> Kind regards > >> > >> On Thu, Jan 19, 2023 at 12:46 PM Andrea Cosentino <anco...@gmail.com> > >> wrote: > >> > >> > Hello, > >> > > >> > Essentially is enough to run a maven install. > >> > > >> > mvn install -DskipTests -Psbom > >> > > >> > The aggregate sbom will be in target folder at root level. > >> > > >> > We could tune it and find a way to automatize this, for example > through > >> a > >> > gh action. > >> > > >> > > >> > > >> > Il giorno gio 19 gen 2023 alle ore 12:43 Claus Ibsen < > >> > claus.ib...@gmail.com> > >> > ha scritto: > >> > > >> > > Hi Andrea > >> > > > >> > > How do you generate the sbom file? What command do you run from the > >> root > >> > > folder of Camel source code? > >> > > And should we have this documented somewhere. > >> > > > >> > > On Thu, Jan 19, 2023 at 11:42 AM Andrea Cosentino < > anco...@gmail.com> > >> > > wrote: > >> > > > >> > > > Hello, > >> > > > > >> > > > Moving to Camel 4.x I think it's time to have a look at SBOM > >> generation > >> > > and > >> > > > so on. > >> > > > > >> > > > I added a profile named sbom to the root POM. > >> > > > > >> > > > It will generate two files in the target folder camel-sbom.json > and > >> > > > camel-sbom.xml. > >> > > > > >> > > > For the moment I choose to copy them in camel-sbom folder > manually, > >> so > >> > we > >> > > > can do the generation time-based (like one a week or something > like > >> > > that). > >> > > > > >> > > > This SBOM files could be used to check if we are healthy or not in > >> > terms > >> > > of > >> > > > dependency used. > >> > > > > >> > > > I think we should try to use this kind of information as standard, > >> > there > >> > > > are multiple tools we could use to leverage the SBOM generation. > >> > > > > >> > > > For any questions let's discuss here :-) > >> > > > > >> > > > Thanks. > >> > > > > >> > > > >> > > > >> > > -- > >> > > Claus Ibsen > >> > > ----------------- > >> > > @davsclaus > >> > > Camel in Action 2: https://www.manning.com/ibsen2 > >> > > > >> > > >> > >> > >> -- > >> Otavio R. Piske > >> http://orpiske.net > >> > > > -- Otavio R. Piske http://orpiske.net
