Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Centralising sbom dependency data, plus adding versions to sboms #3709

Merged
merged 4 commits into from
Apr 25, 2024
Merged

Centralising sbom dependency data, plus adding versions to sboms #3709

merged 4 commits into from
Apr 25, 2024

Conversation

adamfarley
Copy link
Contributor

This is to centralise the jar versions and shas to simplify future updates, and to enable a user to easily set their own values.

This also adds cyclonedx dependency version strings to sboms.

@adamfarley adamfarley self-assigned this Mar 18, 2024
@github-actions github-actions bot added the documentation Issues that request updates to our documentation label Mar 18, 2024
github-actions[bot]
github-actions bot previously requested changes Mar 18, 2024
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

@adamfarley
Copy link
Contributor Author

Linked to #3593

@adamfarley
Centralising sbom dependency data, plus adding versions to sboms
961e606 
This is to centralise the jar versions and shas to simplify future
updates, and to enable a user to easily set their own values.

This also adds cyclonedx dependency version strings to sboms.

Signed-off-by: Adam Farley <[email protected]>
@adamfarley adamfarley force-pushed the add_versions_and_shas_to_build_getdependencies branch from f73a928 to 961e606 Compare March 18, 2024 12:25
@adamfarley adamfarley mentioned this pull request Mar 18, 2024
Closed
@adamfarley
Copy link
Contributor Author

Tested here: https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk21u/job/jdk21u-linux-x64-temurin/153/

Passed. SBOM output:

        {
          "name" : "CycloneDX jar versions",
          "properties" : [
            {
              "name" : "commons-codec.jar",
              "value" : "1.15"
            },
            {
              "name" : "commons-io.jar",
              "value" : "2.11.0"
            },
            {
              "name" : "cyclonedx-core-java.jar",
              "value" : "8.0.3"
            },
            {
              "name" : "github-package-url.jar",
              "value" : "1.4.1"
            },
            {
              "name" : "jackson-annotations.jar",
              "value" : "2.14.2"
            },
            {
              "name" : "jackson-core.jar",
              "value" : "2.14.2"
            },
            {
              "name" : "jackson-databind.jar",
              "value" : "2.14.2"
            },
            {
              "name" : "jackson-dataformat-xml.jar",
              "value" : "2.14.2"
            },
            {
              "name" : "json-schema.jar",
              "value" : "1.0.77"
            }
          ],
          "type" : "framework"
        }

andrew-m-leonard
andrew-m-leonard approved these changes Apr 23, 2024
View reviewed changes
Copy link
Contributor

@andrew-m-leonard andrew-m-leonard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@adamfarley
Copy link
Contributor Author

The license check seems not to apply in this case (as all the failing files contain externally-sourced data such as SHAs, version strings, and jar names), so I've raised a PR to remove the requirement here:

#3772

@adamfarley adamfarley dismissed github-actions[bot]’s stale review April 24, 2024 14:42

No freeze on master branch.

@karianna karianna merged commit b1f8de0 into adoptium:master Apr 25, 2024
24 of 25 checks passed
@adamfarley adamfarley deleted the add_versions_and_shas_to_build_getdependencies branch July 10, 2024 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-m-leonard andrew-m-leonard andrew-m-leonard approved these changes

@karianna karianna karianna approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

@adamfarley adamfarley

Labels
documentation Issues that request updates to our documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adamfarley @karianna @andrew-m-leonard