Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate CycloneDX SBOM API into build.sh #2869

Merged
merged 2 commits into from
Mar 16, 2022

Conversation

andrew-m-leonard
Copy link
Contributor

@andrew-m-leonard andrew-m-leonard commented Mar 7, 2022

Integrate the new CycloneDX Java API plugin into the build-scripts bill of materials generation.

This PR creates the SBOM file: ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/sbom.json

A 2nd PR for ci-jenkins-pipelines will create a new Artifact from sbom.json.

Signed-off-by: Andrew Leonard [email protected]

@andrew-m-leonard andrew-m-leonard marked this pull request as draft March 7, 2022 11:55
@andrew-m-leonard
Copy link
Contributor Author

andrew-m-leonard commented Mar 8, 2022

Jenkins built SBOM:

15:46:29  CycloneDX SBOM:
15:46:29  {
15:46:29    "bomFormat" : "CycloneDX",
15:46:29    "specVersion" : "1.3",
15:46:29    "version" : 1,
15:46:29    "metadata" : {
15:46:29      "timestamp" : "2022-03-14T15:46:22Z",
15:46:29      "component" : {
15:46:29        "name" : "Temurin",
15:46:29        "type" : "application"
15:46:29      },
15:46:29      "manufacture" : {
15:46:29        "name" : "Eclipse Foundation",
15:46:29        "url" : [
15:46:29          "https://www.eclipse.org/"
15:46:29        ]
15:46:29      },
15:46:29      "properties" : [
15:46:29        {
15:46:29          "name" : "OS_KERNEL",
15:46:29          "value" : "Linux"
15:46:29        },
15:46:29        {
15:46:29          "name" : "OS_ARCHITECTURE",
15:46:29          "value" : "X86_64"
15:46:29        },
15:46:29        {
15:46:29          "name" : "VARIANT",
15:46:29          "value" : "Temurin"
15:46:29        }
15:46:29      ]
15:46:29    },
15:46:29    "components" : [
15:46:29      {
15:46:29        "author" : "Vendor: Adoptium",
15:46:29        "group" : "Eclipse Temurin",
15:46:29        "name" : "Temurin",
15:46:29        "version" : "19+9",
15:46:29        "type" : "application"
15:46:29      },
15:46:29      {
15:46:29        "name" : "JDK",
15:46:29        "description" : "Temurin JDK Component",
15:46:29        "properties" : [
15:46:29          {
15:46:29            "name" : "scmRef",
15:46:29            "value" : "jdk-19+1_adopt-2871-g4092ff6cb37"
15:46:29          },
15:46:29          {
15:46:29            "name" : "openjdkSourceCommit",
15:46:29            "value" : "https://github.com/andrew-m-leonard/jdk-1/commit/4092ff6cb37"
15:46:29          },
15:46:29          {
15:46:29            "name" : "buildRef",
15:46:29            "value" : "https://github.com/andrew-m-leonard/openjdk-build/commit/3181ca5"
15:46:29          },
15:46:29          {
15:46:29            "name" : "builtConfig",
15:46:29            "value" : "# ============================ # OPENJDK BUILD CONFIGURATION: # ============================ BUILD_CONFIG[ADOPT_PATCHES]=\"true\" BUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]=\"false\" BUILD_CONFIG[BRANCH]=\"repro\" BUILD_CONFIG[BUILD_FULL_NAME]=\"linux-x86_64-server-release\" BUILD_CONFIG[BUILD_VARIANT]=\"temurin\" BUILD_CONFIG[CLEAN_DOCKER_BUILD]=\"false\" BUILD_CONFIG[CLEAN_GIT_REPO]=\"true\" BUILD_CONFIG[CLEAN_LIBS]=\"false\" BUILD_CONFIG[CONTAINER_NAME]=\"openjdk_container\" BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JDK_FLAG]=\"false\" BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JRE_FLAG]=\"false\" BUILD_CONFIG[CREATE_DEBUG_IMAGE]=\"true\" BUILD_CONFIG[CREATE_JRE_IMAGE]=\"false\" BUILD_CONFIG[CREATE_SBOM]=\"true\" BUILD_CONFIG[CREATE_SOURCE_ARCHIVE]=\"false\" BUILD_CONFIG[CROSSCOMPILE]=\"false\" BUILD_CONFIG[CUSTOM_CACERTS]=\"true\" BUILD_CONFIG[DEBUG_DOCKER]=\"false\" BUILD_CONFIG[DEBUG_IMAGE_PATH]=\"debug-image\" BUILD_CONFIG[DISABLE_ADOPT_BRANCH_SAFETY]=\"false\" BUILD_CONFIG[DOCKER]=\"docker\" BUILD_CONFIG[DOCKER_FILE_PATH]=\"\" BUILD_CONFIG[DOCKER_SOURCE_VOLUME_NAME]=\"openjdk-source-volume-jdk-temurin\" BUILD_CONFIG[FREETYPE]=\"false\" BUILD_CONFIG[FREETYPE_DIRECTORY]=\"\" BUILD_CONFIG[FREETYPE_FONT_BUILD_TYPE_PARAM]=\"\" BUILD_CONFIG[FREETYPE_FONT_VERSION]=\"2.9.1\" BUILD_CONFIG[GRADLE_USER_HOME_DIR]=\"\" BUILD_CONFIG[JDK_BOOT_DIR]=\"/home/jenkins/workspace/build-scripts/jobs/jdk/jdk-linux-x64-temurin/jdk-19\" BUILD_CONFIG[JDK_PATH]=\"jdk\" BUILD_CONFIG[JRE_PATH]=\"jre\" BUILD_CONFIG[JVM_VARIANT]=\"server\" BUILD_CONFIG[KEEP_CONTAINER]=\"false\" BUILD_CONFIG[MACOSX_CODESIGN_IDENTITY]=\"\" BUILD_CONFIG[MAKE_ARGS_FOR_ANY_PLATFORM]=\"product-images\" BUILD_CONFIG[MAKE_COMMAND_NAME]=\"make\" BUILD_CONFIG[MAKE_EXPLODED]=\"false\" BUILD_CONFIG[NUM_PROCESSORS]=\"1\" BUILD_CONFIG[OPENJDK_BUILD_NUMBER]=\"\" BUILD_CONFIG[OPENJDK_BUILD_REPO_BRANCH]=\"master\" BUILD_CONFIG[OPENJDK_BUILD_REPO_URI]=\"[https://github.com/adoptium/temurin-build.git\](https://github.com/adoptium/temurin-build.git/)" BUILD_CONFIG[OPENJDK_CORE_VERSION]=\"jdk\" BUILD_CONFIG[OPENJDK_FEATURE_NUMBER]=\"19\" BUILD_CONFIG[OPENJDK_FOREST_NAME]=\"jdk\" BUILD_CONFIG[OPENJDK_SOURCE_DIR]=\"src\" BUILD_CONFIG[OPENJDK_UPDATE_VERSION]=\"\" BUILD_CONFIG[OS_ARCHITECTURE]=\"x86_64\" BUILD_CONFIG[OS_FULL_VERSION]=\"Linux 5.8.0-34-generic : CentOS release 6.10 (Final)\" BUILD_CONFIG[OS_KERNEL_NAME]=\"linux\" BUILD_CONFIG[PATCHES]=\"\" BUILD_CONFIG[RELEASE]=\"false\" BUILD_CONFIG[REPOSITORY]=\"[https://github.com/andrew-m-leonard/jdk-1\](https://github.com/andrew-m-leonard/jdk-1/)" BUILD_CONFIG[REUSE_CONTAINER]=\"true\" BUILD_CONFIG[SHALLOW_CLONE_OPTION]=\"--depth=1\" BUILD_CONFIG[SIGN]=\"false\" BUILD_CONFIG[STATIC_LIBS_IMAGE_PATH]=\"static-libs\" BUILD_CONFIG[TAG]=\"\" BUILD_CONFIG[TARGET_DIR]=\"target/\" BUILD_CONFIG[TARGET_FILE_NAME]=\"OpenJDK-jdk_x64_linux_hotspot_2022-03-14-15-24.tar.gz\" BUILD_CONFIG[TEST_IMAGE_PATH]=\"test\" BUILD_CONFIG[TMP_CONTAINER_NAME]=\"openjdk-copy-src\" BUILD_CONFIG[TMP_SPACE_BUILD]=\"false\" BUILD_CONFIG[USER_SUPPLIED_CONFIGURE_ARGS]=\" --disable-warnings-as-errors --with-source-date=updated --with-build-user=adoptium --enable-ccache --disable-ccache --with-source-date=version --with-version-build=9 --with-vendor-version-string=Temurin-19+9 --without-version-pre --without-version-opt\" BUILD_CONFIG[USER_SUPPLIED_MAKE_ARGS]=\"\" BUILD_CONFIG[USE_DOCKER]=\"false\" BUILD_CONFIG[USE_JEP319_CERTS]=\"true\" BUILD_CONFIG[USE_SSH]=\"false\" BUILD_CONFIG[VENDOR]=\"Undefined Vendor\" BUILD_CONFIG[WORKING_DIR]=\"./build/\" BUILD_CONFIG[WORKSPACE_DIR]=\"/home/jenkins/workspace/build-scripts/jobs/jdk/jdk-linux-x64-temurin/workspace\""
15:46:29          },
15:46:29          {
15:46:29            "name" : "full_version_output",
15:46:29            "value" : "openjdk version \"19\" 2022-09-20 OpenJDK Runtime Environment Temurin-19+9 (build 19+9) OpenJDK 64-Bit Server VM Temurin-19+9 (build 19+9, mixed mode, sharing)"
15:46:29          },
15:46:29          {
15:46:29            "name" : "makejdk_any_platform_args",
15:46:29            "value" : "--clean-git-repo --jdk-boot-dir /home/jenkins/workspace/build-scripts/jobs/jdk/jdk-linux-x64-temurin/jdk-19 --configure-args --disable-warnings-as-errors --with-source-date=updated --with-build-user=adoptium --enable-ccache --disable-ccache --with-source-date=version --with-version-build=9 --with-vendor-version-string=Temurin-19+9 --without-version-pre --without-version-opt --target-file-name OpenJDK-jdk_x64_linux_hotspot_2022-03-14-15-24.tar.gz --create-sbom -b repro -r https://github.com/andrew-m-leonard/jdk-1 --skip-freetype --use-jep319-certs --create-debug-image --build-variant temurin jdk"
15:46:29          },
15:46:29          {
15:46:29            "name" : "make_command_args",
15:46:29            "value" : "make product-images test-image static-libs-image"
15:46:29          }
15:46:29        ]
15:46:29      },
15:46:29      {
15:46:29        "name" : "ALSA",
15:46:29        "description" : "dependency_version_alsa",
15:46:29        "properties" : [
15:46:29          {
15:46:29            "name" : "url",
15:46:29            "value" : "https://ftp.osuosl.org/pub/blfs/conglomeration/alsa-lib/alsa-lib-1.1.6.tar.bz2"
15:46:29          }
15:46:29        ]
15:46:29      }
15:46:29    ]
15:46:29  }

@andrew-m-leonard andrew-m-leonard marked this pull request as ready for review March 14, 2022 15:52
@github-actions github-actions bot added the jenkins Issues that enhance or fix our jenkins server label Mar 15, 2022
Copy link
Contributor

@smlambert smlambert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @andrew-m-leonard - FYI, I am in favour of bringing this in prior to the release next week.

Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although I'm wondering if we should look at splitting out the SBOM functions into a separate script under common that's sourced to keep it all in one tidy place at some point in the future?

@andrew-m-leonard
Copy link
Contributor Author

LGTM, although I'm wondering if we should look at splitting out the SBOM functions into a separate script under common that's sourced to keep it all in one tidy place at some point in the future?

This will be the plan yes, as it's going to get a lot more complex I suspect with more detailed info.

@andrew-m-leonard andrew-m-leonard merged commit c843512 into adoptium:master Mar 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
jenkins Issues that enhance or fix our jenkins server
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants