Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-06-05 Thread via GitHub 


anshumg commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-2149114633

   Thanks @HoustonPutman . I think this would be a good first step considering 
we've been stuck with this for a while.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-06-04 Thread via GitHub 


HoustonPutman commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-2148364812

   Ok, so I've changed this to create and SBOM for each of our maven artifacts, 
and they are included in what will be uploaded to maven central.
   
   So far there is no solr-wide sbom (for either the full tgz or the slim tgz), 
but that is kind of a nightmare to do with the cyclonedx gradle plugin. It 
would be much easier if we could use [syft](https://github.com/anchore/syft) to 
generate an sbom from the resulting tgz(s). But maybe this is a problem to 
solve later and we take the first win?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-04-29 Thread via GitHub 


janhoy commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-2083639846

   I'm positive to including this as a first step and then proceeding with 
publishing SBOM as a release artifact as proposed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-04-01 Thread via GitHub 


github-actions[bot] commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-2030817225

   This PR had no visible activity in the past 60 days, labeling it as stale. 
Any new activity will remove the stale label. To attract more reviewers, please 
tag someone or notify the d...@solr.apache.org mailing list. Thank you for your 
contribution!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-02-01 Thread via GitHub 


ErnestoLeon87 commented on code in PR #1203:
URL: https://github.com/apache/solr/pull/1203#discussion_r1474943561


##
gradle/validation/cyclonedx-bom.gradle:
##
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This adds CycloneDX BOM generation of project dependencies
+
+// If -Pvalidation.cyclonedx-bom=true is set the CycloneDX BOM generation will 
also run as part of the check task.
+
+configure(rootProject) {
+  cyclonedxBom {
+includeConfigs = ["runtimeClasspath"]
+skipConfigs = ["compileClasspath", "testCompileClasspath"]
+projectType = "application"
+schemaVersion = "1.4"
+destination = file("build/reports")
+outputName = "cyclonedx-bom"
+outputFormat = "all"
+includeBomSerialNumber = true
+  }
+
+  // Unless explicitly enabled, do not attach owasp to check. It has a large 
download

Review Comment:
   It helps you to build a bom.xml/json file so you can evaluate that file 
later on Sonatype Lifecycle and see your app vulnerabilities. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-01-17 Thread via GitHub 


dsmiley commented on code in PR #1203:
URL: https://github.com/apache/solr/pull/1203#discussion_r1456564684


##
gradle/validation/cyclonedx-bom.gradle:
##
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This adds CycloneDX BOM generation of project dependencies
+
+// If -Pvalidation.cyclonedx-bom=true is set the CycloneDX BOM generation will 
also run as part of the check task.
+
+configure(rootProject) {
+  cyclonedxBom {
+includeConfigs = ["runtimeClasspath"]
+skipConfigs = ["compileClasspath", "testCompileClasspath"]
+projectType = "application"
+schemaVersion = "1.4"
+destination = file("build/reports")
+outputName = "cyclonedx-bom"
+outputFormat = "all"
+includeBomSerialNumber = true
+  }
+
+  // Unless explicitly enabled, do not attach owasp to check. It has a large 
download

Review Comment:
   What does CycloneDX have to do with OWASP?  What checking/verification does 
`cyclonedxBom` do?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Re: [PR] SOLR-16796: introduce org.cyclonedx.bom gradle plugin [solr]

2024-01-15 Thread via GitHub 


raboof commented on PR #1203:
URL: https://github.com/apache/solr/pull/1203#issuecomment-1892358239

   > We should create a JIRA for this btw.
   
   Created https://issues.apache.org/jira/browse/SOLR-16796
   
   There's probably more to improve from here, such as:
   * Generating SBOMs 'per artifact' rather than one big one for all of Solr?
   * Publishing nightly boms to https://security-tools-ec2-va.apache.org/
   * Publishing the SBOM as a release artifact
   
   .. but this might already be a nice start.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org