I'll do that later and pass to one week. Thanks Il mer 25 gen 2023, 12:01 Otavio Rodolfo Piske <angusyo...@gmail.com> ha scritto:
> Hello, > > Thanks! Yeah, I think updating it weekly should help! > > Obs.: The problem with these commits is that they increase the time to run > bisect. So, sometimes when bisecting, my build machines waste several > minutes (sometimes hours) building Camel because those commits get in the > way of the bisect path. But, I think it's a separate discussion and > something we can improve in the future. > > Kind regards > > On Wed, Jan 25, 2023 at 11:51 AM Andrea Cosentino <anco...@gmail.com> > wrote: > > > If you don't use the sbom profile this won't be generated and won't be > > updated > > > > Il mer 25 gen 2023, 11:44 Andrea Cosentino <anco...@gmail.com> ha > scritto: > > > > > There is an action running every night. We could for example run it > once > > a > > > week. > > > > > > The only way to enable the generation is through a profile. Sometimes I > > do > > > myself, but in general it should be only the action. > > > > > > This kind of information should be tracked regularly, only at release > > time > > > makes probably less sense. > > > > > > I fixed a bunch of deps based on some feedback i have from the sbom. > > > > > > We can use a time frame a bit more bigger, like once a week and avoid > > > committing when checking locally. I don't think it would be a problem > for > > > bisecting. Only camel-sbom folder is affected from the updates... > > > > > > I can put once a week if it's better > > > > > > Il mer 25 gen 2023, 11:38 Otavio Rodolfo Piske <angusyo...@gmail.com> > ha > > > scritto: > > > > > >> Thanks Andrea, this looks really good. > > >> > > >> My only comment / concern is regarding how we are generating it. > > >> > > >> Would it be possible/feasible to generate this only as part of the > > release > > >> process? Or, optionally, by manually invoking a plugin? One concern > > that I > > >> have is that we are currently generating it whenever we update the > > >> dependencies and then committing it. > > >> > > >> This generates a lot of bogus commits of which - IMHO - we already > have > > >> too > > >> much. This is becoming a problem to automate bisecting and back trace > > >> problems (but that's a separate discussion). > > >> > > >> What do you think? > > >> > > >> Kind regards > > >> > > >> On Thu, Jan 19, 2023 at 12:46 PM Andrea Cosentino <anco...@gmail.com> > > >> wrote: > > >> > > >> > Hello, > > >> > > > >> > Essentially is enough to run a maven install. > > >> > > > >> > mvn install -DskipTests -Psbom > > >> > > > >> > The aggregate sbom will be in target folder at root level. > > >> > > > >> > We could tune it and find a way to automatize this, for example > > through > > >> a > > >> > gh action. > > >> > > > >> > > > >> > > > >> > Il giorno gio 19 gen 2023 alle ore 12:43 Claus Ibsen < > > >> > claus.ib...@gmail.com> > > >> > ha scritto: > > >> > > > >> > > Hi Andrea > > >> > > > > >> > > How do you generate the sbom file? What command do you run from > the > > >> root > > >> > > folder of Camel source code? > > >> > > And should we have this documented somewhere. > > >> > > > > >> > > On Thu, Jan 19, 2023 at 11:42 AM Andrea Cosentino < > > anco...@gmail.com> > > >> > > wrote: > > >> > > > > >> > > > Hello, > > >> > > > > > >> > > > Moving to Camel 4.x I think it's time to have a look at SBOM > > >> generation > > >> > > and > > >> > > > so on. > > >> > > > > > >> > > > I added a profile named sbom to the root POM. > > >> > > > > > >> > > > It will generate two files in the target folder camel-sbom.json > > and > > >> > > > camel-sbom.xml. > > >> > > > > > >> > > > For the moment I choose to copy them in camel-sbom folder > > manually, > > >> so > > >> > we > > >> > > > can do the generation time-based (like one a week or something > > like > > >> > > that). > > >> > > > > > >> > > > This SBOM files could be used to check if we are healthy or not > in > > >> > terms > > >> > > of > > >> > > > dependency used. > > >> > > > > > >> > > > I think we should try to use this kind of information as > standard, > > >> > there > > >> > > > are multiple tools we could use to leverage the SBOM generation. > > >> > > > > > >> > > > For any questions let's discuss here :-) > > >> > > > > > >> > > > Thanks. > > >> > > > > > >> > > > > >> > > > > >> > > -- > > >> > > Claus Ibsen > > >> > > ----------------- > > >> > > @davsclaus > > >> > > Camel in Action 2: https://www.manning.com/ibsen2 > > >> > > > > >> > > > >> > > >> > > >> -- > > >> Otavio R. Piske > > >> http://orpiske.net > > >> > > > > > > > > -- > Otavio R. Piske > http://orpiske.net >
