Dear Apache Geode Community,
I'd like to share our detailed implementation proposal for GEODE-10481
(SBOM generation) and gather community feedback before moving forward with
development.
Quick Context:
We're proposing to add automated Software Bill of Materials (SBOM)
generation to Apache Geode 2.0 to enhance supply chain security and meet
enterprise compliance requirements.
Key Technical Decisions for Review:
1. Tool Choice: CycloneDX over SPDX
- CycloneDX Gradle Plugin v3.0+ offers superior multi-module support
- Better suited for our 30+ module architecture
- Can export to SPDX format when needed
- Question: Any concerns about format choice or experience with
alternatives?
2. CI/CD Strategy: GitHub Actions Focus
- New workflows for SBOM generation and security scanning
- Integration with existing build pipeline
- Question: Should we maintain Concourse compatibility or focus on
GitHub Actions migration?
3. Multi-Module Approach
- Per-module SBOM generation with aggregated distribution SBOM
- Covers all artifact types: JARs, TGZ distributions, Docker images
- Question: Any specific modules or artifacts we should
prioritize/exclude?
Areas Where We'd Especially Value Input:
- Build System Impact: Have you experienced issues with similar Gradle
plugins?
- Security Tooling: Preferences for vulnerability scanning tools (Grype,
Trivy, etc.)?
- Enterprise Requirements: Any specific SBOM format or compliance needs
we should consider?
- Release Process: Concerns about integrating SBOM generation into
existing release workflows
Full Proposal & Implementation Details:
Please review the complete proposal in PR #7933:
https://github.com/apache/geode/pull/7933
Next Steps:
- Community review
- Please provide feedback directly on the PR for centralized discussion
and easier collaboration
- Waiting to align on the proposal before starting implementation
Please take a look at the proposal and share your thoughts, concerns, or
suggestions on PR #7933. Your input will help ensure this enhancement
serves the community's needs effectively.
Thanks for your time and collaboration!
Best regards,
Sai Boorlagadda
