-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add manufacturer information to SBOM metadata #582
base: master
Are you sure you want to change the base?
Conversation
0a491c6
to
7ee148c
Compare
I would rather reuse what is already there in the POM file, e.g.: <organization>
<name>The Apache Software Foundation</name>
<url>https://apache.org</url>
</organization>
<developers>
<developer>
<name>Apache Logging Services Security Team</name>
<email>[email protected]</email>
<url>https://logging.apache.org/security.html</url>
<roles>
<role>security_contact</role>
</roles>
<properties>
<postalAddress>
The Apache Software Foundation
1000 N West Street, Suite 1200
Wilmington, DE 19801
U.S.A.
</postalAddress>
</properties>
</developer>
</developers> The Developers section is there to provide a contact with the developers. |
The I can rewrite this PR with usage of the |
OrganizationalEntity manufacturer = mojo.createManufacturer(null, null); | ||
assertNotNull(manufacturer); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be null
if there is no data?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security check if you have a very minimal POM file without anything. Could be removed, since checks are in place before calling the tested function, but I didn't see any unit testing at all to the BaseCycloneDxMojo
, only some testing with POM files running with the super classes. Writing unit test for execute()
function will take lot of time.
if (organization != null || (developers != null && !developers.isEmpty())) {
metadata.setManufacturer(createManufacturer(organization, developers));
}
public static void setParentParameter(Object cc, String fieldName, Object value) | ||
throws NoSuchFieldException, IllegalAccessException { | ||
Field field = cc.getClass().getSuperclass().getDeclaredField(fieldName); | ||
field.setAccessible(true); | ||
field.set(cc, value); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this used anywhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry forgot to remove from the first PR, not used any more. It was used to set the private variable manufacturer
before.
With the given example given by @ppkarwasz , the output will be {
"metadata" : {
"authors" : [
{
"name" : "Apache Logging Services Security Team",
"email" : "[email protected]"
}
],
"manufacturer" : {
"name" : "The Apache Software Foundation",
"url" : [
"https://apache.org",
"https://logging.apache.org/security.html"
],
"contact" : [
{
"name" : "Apache Logging Services Security Team",
"email" : "[email protected]"
}
]
}
} Parsing a property field with postal address into ZIP code, street address, city, country etc is very complicated to make it work with over 100 countries who has different ways of writing the postal information. The The section |
from the code update, I see now that we have both manufacturer https://cyclonedx.org/docs/1.6/json/#metadata_manufacturer but no documentation any more: I'd like to have a page on this, like https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html |
reading CycloneDX doc for manufacturer and authors
and thinking at real world content for developers in POMs, where there is a description of many individuals, and not always accurate perhaps we should avoid the authors part: I fear this will just add noise in real world |
This is how we discovered that all the effective
Maybe this will give developers an opportunity to clean up their POMs. For projects that are not maintained by a single person, it doesn't make sense to add anything else than a link to the maintainer team in Projects with hundreds of contributors and dozens of past maintainers should probably add a single long term contact information to the |
I see you are well opinionated on how to fill I like your proposal on another key finding: |
Example output: {
"metadata" : {
"component" : {
"type" : "library",
...
"manufacturer" : {
"name" : "The Apache Software Foundation",
"url" : [
"https://apache.org",
"https://logging.apache.org/security.html"
],
"contact" : [
{
"name" : "Apache Logging Services Security Team",
"email" : "[email protected]"
}
]
},
...
}
}
} |
Signed-off-by: Björn Kornefalk <[email protected]>
Signed-off-by: Björn Kornefalk <[email protected]>
Signed-off-by: Björn Kornefalk <[email protected]>
Signed-off-by: Björn Kornefalk <[email protected]>
Signed-off-by: Björn Kornefalk <[email protected]>
29e3c2e
to
2c48356
Compare
One option with the <configuration>
<includeRoles>Security Team</includeRoles>
<configuration> And implement it as a |
given https://cyclonedx.org/docs/1.6/json/#metadata_manufacturer says "The organization that created the BOM.", the more I think about it, the more I feel extracting data from pom.xml is going the wrong route in terms of semantics pom.xml is the project that maintains the code: they may not be the people running the plugin to generated the BOM = what BOM manufacturer is about not extracting data from pom.xml by default is safer: people invoking through CLI can configure with but all the data extraction from pom.xml and customization of role is complexity targetted to the wrong people @ppkarwasz @kornefalk WDYT? |
Yes, it seems that |
The major problem for me is an upcoming new law within the European Union (EU) . The proposal is that all software must be shipped together with a SBOM file. One of the requirement of SBOM file is:
So therefore I need to be able to fill in the metadata -> component -> manufacturer. The components section is for used libraries, not for the actual delivered library or application. So my first pull request that @ppkarwasz didn't like, was to be able to configure the |
Adding manufacturer information to the Maven Plugin. (see https://cyclonedx.org/docs/1.6/json/#metadata_manufacturer for model reference)
This is very useful for companies and organizations that can add information to the SBOM files about the source and how to contact the application vendor. This information is optional and one configuration example is included. If this information is not included, the plugin works as before without the manufacturer section.
When using a centralized parent POM file, all artefacts can create a manufacturer information. This kind of information is not often changed withing the company or organization.
Some checks of the manufacturer information is available, should maybe be moved to the core project.