-
Notifications
You must be signed in to change notification settings - Fork 46
/
index.xml
4527 lines (4231 loc) · 448 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Jenkins X - Cloud Native CI/CD Built On Kubernetes – Jenkins X - Cloud Native CI/CD Built On Kubernetes</title>
<link>https://jenkins-x.io/</link>
<description>Recent content on Jenkins X - Cloud Native CI/CD Built On Kubernetes</description>
<generator>Hugo -- gohugo.io</generator>
<atom:link href="https://jenkins-x.io/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>Blog: GSoC 2022 Final Report: Improving Supply Chain Security</title>
<link>https://jenkins-x.io/blog/2022/11/08/gsoc-2022/</link>
<pubDate>Tue, 08 Nov 2022 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2022/11/08/gsoc-2022/</guid>
<description>
<h2 id="project-description">Project Description</h2>
<p>Supply chain security is a rising concern in the current software era.
Securing the software supply chain encompasses vulnerability remediation and the implementation of controls throughout the software development process.
Due to massive increase in attacks on software supply chain and the diversity of its <a href="https://slsa.dev/spec/v0.1/threats">types</a>, Jenkins X has to make efforts to ensure that the build process is secure.
As part of securing Jenkins X installation by default I worked on both securing our own components and enabling our users to use these features in their build and release steps..</p>
<h2 id="work-done">Work Done</h2>
<p>The work done so far covers these four sections.</p>
<ol>
<li>Enhancing the <code>jx version</code> output</li>
<li>Integrating with Tekton Chains to sign TaskRuns and PipelineRuns</li>
<li>Software Bill of Materials (SBOM)</li>
<li>Signing Jenkins X artifacts</li>
</ol>
<h3 id="enhancing-the-jx-version-output">Enhancing the <code>jx version</code> output</h3>
<p>Description:</p>
<p>A first step towards securing Jenkins X supply chain is to increase the amount of information gained from running <code>jx version</code> command.</p>
<p>Implementation</p>
<p>The issue created for this task is <a href="https://github.com/jenkins-x/jx/issues/8249">here</a>.
The PR to fix it is <a href="https://github.com/jenkins-x/jx/pull/8291">here</a>.</p>
<h3 id="integrating-with-tekton-chains-to-sign-taskruns-and-pipelineruns">Integrating with Tekton Chains to sign TaskRuns and PipelineRuns</h3>
<p>Description:</p>
<p>As Jenkins X uses tekton as its pipeline execution engine,<code> TaskRun</code> and <code> PipelineRun</code> are considered the key components of Jenkins X pipeline <code>activities</code> and <code>steps</code>
Tekton Chains monitors the execution of all <code>TaskRun</code> and <code> PipelineRun</code> inside the cluster and takes a snapshot upon completion of each of them to sign with user-provided cryptographic keys and store them on the backend storage.
The payload and signature cn be verified later using <code>cosign verify-blob</code>.</p>
<p>Implementation</p>
<p>I used the helm chart developed by <a href="https://www.chainguard.dev/">Chainguard</a> for integrating Chains with Jenkins X.
To integrate the <a href="https://github.com/chainguard-dev/tekton-helm-charts/tree/main/charts/tekton-chains">chart</a> and added support for it on <a href="https://github.com/jenkins-x/jx3-versions">jx3-versions</a> to make installation of helm chart easy for our users.
The list of PRs for this:</p>
<table>
<thead>
<tr>
<th>PR</th>
<th>Short Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://github.com/jenkins-x/jx3-versions/pull/3359">https://github.com/jenkins-x/jx3-versions/pull/3359</a></td>
<td>Supporting Tekton Chains helm chart with jx3-versions</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx-docs/pull/3660">https://github.com/jenkins-x/jx-docs/pull/3660</a></td>
<td>Documentation on how to install and integrate Tekton Chains with Jenknins X</td>
</tr>
</tbody>
</table>
<p>NOTE: The integration is tested only on k3s cluster and work is in progress to test it on GKE and EKS.</p>
<h3 id="software-bill-of-materials-sbom">Software Bill of Materials (SBOM)</h3>
<p>Description:</p>
<p><a href="https://en.wikipedia.org/wiki/Software_supply_chain#:~:text=Software%20vendors%20often,could%20harm%20them.">Software Bill Of Materials</a> (SBOM) is a complete formally structured list of the materials (components, packages, libraries, SDK) used to build (i.e. compile, link) a given piece of software and the supply chain relationships between all these materials.
It is an inventory of all the components developers used to make this software.
It has many formats and many generating tools but all have the same purpose in the end.</p>
<p>Implementation:</p>
<p>I first began with investigating available standards and formats for SBOMs and tools for generating them.
The results of my investigation were written to a blog post <a href="https://jenkins-x.io/blog/2022/07/24/intro-to-sbom/">here</a>.</p>
<p>I&rsquo;ve settled for using <a href="https://github.com/anchore/syft">syft</a> for SBOM generation and <a href="https://spdx.dev/">spdx</a> as the standard format for SBOMs.
Also, I&rsquo;ve added those installation as pre-defined steps in the Jenkins X pipeline catalog so it will also be available for our users to use in their pipelines and applied those steps to Jenkins X own pipelines.
The list of PRs for this work are:</p>
<table>
<thead>
<tr>
<th>PR</th>
<th>Short Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://github.com/jenkins-x/jx/pull/8312">https://github.com/jenkins-x/jx/pull/8312</a></td>
<td>Install syft using github action and generate SBOM with goreleaser</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx3-pipeline-catalog/pull/1166">https://github.com/jenkins-x/jx3-pipeline-catalog/pull/1166</a></td>
<td>Add Syft Installation to JX3 pipeline Catalog so it can be used to generate SBOMs</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx3-pipeline-catalog/pull/1173">https://github.com/jenkins-x/jx3-pipeline-catalog/pull/1173</a></td>
<td>Add Oras Steps to support pushing SBOMs as OCI artifacts</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x-plugins/jx-pipeline/pull/490">https://github.com/jenkins-x-plugins/jx-pipeline/pull/490</a></td>
<td>Use Syft installation step in jx-pipeline from jx3-pipelines-catalog</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x-plugins/jx-pipeline/pull/491">https://github.com/jenkins-x-plugins/jx-pipeline/pull/491</a></td>
<td>Use Oras bushing SBOMs step from jx3-pipeline-catalog</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx-docs/pull/3643">https://github.com/jenkins-x/jx-docs/pull/3643</a></td>
<td>Add documentation for supporting sbom generation and storing for other jx components and our users</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx/pull/8351">https://github.com/jenkins-x/jx/pull/8351</a></td>
<td>Applying SBOM management to JX</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx3-pipeline-catalog/pull/1190">https://github.com/jenkins-x/jx3-pipeline-catalog/pull/1190</a></td>
<td>Add grype tasks for SBOM vulnerability scanning to jx3-pipeline-catalog</td>
</tr>
<tr>
<td><a href="https://github.com/cdfoundation/presentations/pull/44">https://github.com/cdfoundation/presentations/pull/44</a></td>
<td>Add materials for my talk with the CDF Supply Chain Securtiy SIG about SBOMs with Jenkins X</td>
</tr>
</tbody>
</table>
<p>There is also this issue to apply all steps on our active JX repositories <a href="https://github.com/jenkins-x/jx/issues/8348">here</a> (WIP as there are many repositories to be updated) and the list of PRs are referenced in the issue (except those of JX because they included testing and fixing PRs at the beginning).</p>
<h3 id="signing-jenkins-x-artifacts">Signing Jenkins X artifacts</h3>
<p>Description:</p>
<p>Jenkins X is a collection of many components and tools that are used to provide the end-to-end CI/CD solution.
Those components are used by our users and are also used by Jenkins X itself.
It is important to sign those components to ensure the integrity of the components and the supply chain security of Jenkins X.</p>
<p>Implementation:</p>
<p>There are a set of tools developed by <a href="https://sigstore.dev/">sigstore</a> to sign and verify artifacts.
The most used tool in my implementation is <a href="https://github.com/sigstore/cosign">cosign</a>.
I first started with signing the Jenkins X CLI with keys stored in github secrets and then moved to signing the Jenkins X docker images.
After that, I switched to use cosign <a href="https://github.com/sigstore/cosign/blob/main/KEYLESS.md">keyless signing</a> (an experimental feature using other Sigstore components (rekor and fulcio) to save end users from the hassles of key (mis)management ) The list of PRs for this work are:</p>
<table>
<thead>
<tr>
<th>PR</th>
<th>Short Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://github.com/jenkins-x/jx/pull/8432">https://github.com/jenkins-x/jx/pull/8432</a></td>
<td>Sign goreleaser artifacts with cosign</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx/pull/8441">https://github.com/jenkins-x/jx/pull/8441</a></td>
<td>Sign published images with cosign</td>
</tr>
<tr>
<td><a href="https://github.com/jenkins-x/jx/pull/8461">https://github.com/jenkins-x/jx/pull/8461</a></td>
<td>Keyless signing for goreleaser artifacts</td>
</tr>
</tbody>
</table>
<h2 id="whats-next">What&rsquo;s next?</h2>
<p>The work for supply chain security is still in progress and there are many things to be done.
At Jenkins X, we are planning to develop new features and integrate more solutions to provide a better supply chain security for our users.
The list of things to be done are:</p>
<ul>
<li>Add a cli subcommand in JX to verify sbom/signed binaries against the public keys.</li>
<li>Add <a href="https://github.com/ossf/scorecard">openSSF security scorecard</a> to Jenkins X repositories.</li>
<li>Integrate <a href="https://buildsec.github.io/frsca/">FRSCA</a> work with Jenkins X.</li>
</ul>
<h2 id="acknowledgements">Acknowledgements</h2>
<p>Out of all internships and trainings I&rsquo;ve done, this one was the most challenging, rewarding and educational experience. I would like to specially thank my mentor <a href="https://github.com/ankitm123">Ankit Mohapatra</a> for his constant support and his patience to teach me a lot of his rich knowledge he gained by experience and thank the whole team of Jenkins X for their support and guidance and for welcoming me to the community. This internship was a great experience. I had a great time working on this project and I learned a lot from it. I hope to continue contributing to Jenkins X and the open-source community in the future. Thank you.</p>
</description>
</item>
<item>
<title>Blog: Software Bill Of Materials generation tools</title>
<link>https://jenkins-x.io/blog/2022/07/24/sbom-tools/</link>
<pubDate>Sun, 24 Jul 2022 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2022/07/24/sbom-tools/</guid>
<description>
<h2 id="prerequisite">Prerequisite</h2>
<p>Before you read this, you have to understand <a href="https://jenkins-x.io/blog/2022/07/24/intro-to-sbom">what are SBOMs</a> and <a href="https://jenkins-x.io/blog/2022/07/24/sbom-formats">what are different formats of SBOMs</a></p>
<h2 id="different-sbom-generation-tools-comparison">Different SBOM generation tools comparison</h2>
<p>If you got this far, you already realize the importance of SBOM generation, and also it should meet certain requirements to achieve its purpose. Due to various requirements depending on what standard you&rsquo;re following, there has to be a way to automatically generate different output formats for different standards. Also, it has to be suited for ci/cd solutions to keep up with the increasing number of releases for each organization.</p>
<p>Note: Here we&rsquo;re only considering open source tools</p>
<h3 id="1---anchore-syft">1 - Anchore Syft</h3>
<p><em><strong>Introduction:</strong></em></p>
<p><a href="https://anchore.com/">Anchore</a>is a platform that implements sbom-powered supply chain security solutions for developers and enterprises. For generating SBOMs, a CLI tool and library named <a href="https://github.com/anchore/syft">Syft</a> was developed by Anchore that could be injected into your ci/cd pipeline to generate SBOMs from container images and filesystems at each step.</p>
<p><em><strong>Integration and Support:</strong></em></p>
<p>Syft is supported on Linux, Mac, and Windows and it can run as a docker container which makes it a great suit for CI systems. Other than the 3 SBOM standards, Syft can generate its JSON standard format to be input for other Anchore tools like <a href="https://github.com/anchore/grype/">Grype</a> which is a vulnerability scanner for container images and filesystems. It supports projects based on the following package managers:</p>
<ul>
<li>Alpine (apk)</li>
<li>C (conan)</li>
<li>C++ (conan)</li>
<li>Dart (pubs)</li>
<li>Debian (dpkg)</li>
<li>Dotnet (deps.json)</li>
<li>Objective-C (cocoapods)</li>
<li>Go (go.mod, Go binaries)</li>
<li>Haskell (cabal, stack)</li>
<li>Java (jar, ear, war, par, sar)</li>
<li>JavaScript (npm, yarn)</li>
<li>Jenkins Plugins (jpi, hpi)</li>
<li>PHP (composer)</li>
<li>Python (wheel, egg, poetry, requirements.txt)</li>
<li>Red Hat (rpm)</li>
<li>Ruby (gem)</li>
<li>Rust (cargo.lock)</li>
<li>Swift (cocoapods)</li>
</ul>
<p><em><strong>Features and Specs:</strong></em></p>
<ul>
<li>Easy to use
<ul>
<li>Syft can generate a simple basic sbom by just running <code>syft &lt;image&gt;</code> this will only include the softwares included in the image&rsquo;s final layer. Or <code>syft &lt;image&gt; --scope all-layers</code> for more verbose sbom to include all image layers</li>
</ul>
</li>
<li>Different formats support the ability to convert between them.
<ul>
<li>Syft JSON</li>
<li>SPDX 2.2 JSON</li>
<li>SPDX 2.2 tag-value</li>
<li>CycloneDX 1.4 JSON</li>
<li>CycloneDX 1.4 XML</li>
</ul>
</li>
<li>Cryptographically sign and attest SBOMs
<ul>
<li>Syft uses <a href="https://github.com/in-toto/attestation">in-toto attestations</a> with <code>syft attest</code> command and the digital signature management is integrated with sigstore cosign. You can view more <a href="https://anchore.com/sbom/creating-sbom-attestations-using-syft-and-sigstore/">here</a>.</li>
</ul>
</li>
<li>Support a variety of sources to generate SBOMs from
<ul>
<li>OCI and docker image formats <code>syft &lt;image&gt;</code></li>
<li>Container images archives <code>syft path/to/image.tar</code></li>
<li>Filesystems and local directories <code>syft path/to/dir</code></li>
</ul>
</li>
</ul>
<p>For more resources about Syft capabilities refer to the <a href="https://github.com/anchore/syft">source repo</a> and <a href="https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/">official documentation</a></p>
<h3 id="2--opensboms-spdx-sbom-generator">2- Opensbom&rsquo;s Spdx-Sbom-Generator</h3>
<p><em><strong>Introduction:</strong></em></p>
<p><a href="https://github.com/opensbom-generator">Opensbom-Generator</a> is an open source project initiated by the Linux Foundation SPDX workgroup to generate SBOMs using CLI tools. Currently, they support the standard spdx 2.2 formats and JSON with their <a href="https://github.com/opensbom-generator/spdx-sbom-generator">spdx-sbom-generator</a> tool based on golang. It can only be used to generate SBOMs from a repository containing package files (no container images or archives support yet). They aim to provide SBOM generation support in ci/cd solutions.</p>
<p><em><strong>Integration and Support:</strong></em></p>
<p>You can download the binaries and install the tool on your system. The available binaries to install are for Linux, Windows, and macOS and it can also be used as a docker container from this spdx <a href="https://hub.docker.com/r/spdx/spdx-sbom-generator">repo</a>. It can detect which package managers or build systems are being used by the software. It is supporting the following package managers:</p>
<p><code>GoMod (go), Cargo (Rust), Composer (PHP), DotNet (.NET), Maven (Java), NPM (Node.js), Yarn (Node.js), PIP (Python), Pipenv (Python), Gems (Ruby), Swift Package Manager (Swift)</code></p>
<p><em><strong>Features and Specs:</strong></em></p>
<ul>
<li>CLI easy to use and simple interface</li>
<li>Automatic detection of the package manager</li>
</ul>
<h3 id="3--kubernetes-bom">3- Kubernetes BOM</h3>
<p><em><strong>Introduction:</strong></em></p>
<p><a href="https://github.com/kubernetes-sigs/bom">BOM</a> is a general-purpose CLI tool developed by <a href="https://github.com/kubernetes-sigs">kubernetes-sigs</a> (Special Interest Groups) that can generate SBOMs from directories, container images, single files, and other sources. The utility has a built-in license classifier that can check for license compliance of your packages with around 400+ licenses in the <a href="https://spdx.org/licenses/">SPDX catalog.</a></p>
<p><em><strong>Integration and Support:</strong></em></p>
<p>BOM is supported as a Golang package that can be installed on any system having to go with <code>go install sigs.k8s.io/bom/cmd/bom</code> this adds the support for Linux, Mac, and Windows. It is compatible with creating SBOMs from files, images, and docker archives (images in tarballs). It also supports pulling images from remote container registries for analysis. BOM is mainly generating SBOMs in SPDX formats.</p>
<p><em><strong>Features and Specs:</strong></em></p>
<ul>
<li>CLI usage to support CI/CD solutions</li>
<li>Golang dependency analysis</li>
<li>Full <code>.gitignore</code> support when scanning git repositories</li>
<li>Ability to check for license compliance with SPDX catalog</li>
<li>Support for different sources to generate sboms</li>
<li>Other than the command <code>bom generate</code>, it uses <code>bom document</code> to work with already present SPDX documents to outline and draw a structure for them</li>
<li>It doesn&rsquo;t necessarily require a whole project directory but it can specify a single file to analyze with the <code>-f path/to/file</code> flag and it can have a collection of those files to be analyzed together.</li>
<li>It also supports the namespacing separation between SBOM documents using the <code>-n &lt;URI&gt;</code> flag to isolate each document from the other</li>
</ul>
<h3 id="4--microsoft-sbom-tool">4- Microsoft SBOM tool</h3>
<p><em><strong>Introduction:</strong></em></p>
<p>Recently, Microsoft open-sourced their SBOM generation tool which is described as a general purpose, enterprise-proven, build-time SBOM generator. They have been developing the tool internally since 2019 and tuning its feature according to their needs and providing other companies with the solution. What is new is that Microsoft has chosen to merge efforts with the Linux Foundation&rsquo;s work and use <a href="https://spdx.dev/">Software Package Data Exchange (SPDX)</a> for all SBOMs generated, and to do this for all software produced. It has a promising number of features like including other SBOM documents recursively to provide its users with the ability to have a full dependency tree that goes to the origin of every package.</p>
<p><em><strong>Integration and Support:</strong></em></p>
<p>Microsoft SBOM is supported on Linux, macOS, and Windows. It can be easily integrated into and auto-detects the following package managers</p>
<p><code>NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories</code></p>
<p>and Microsoft is adding more detectors to improve deeper integration with the community. The tool is currently committed to generating the SPDX 2.2.1 format for its users and is still in development to include all optional fields before integrating with other formats.</p>
<p><em><strong>Features and Specs:</strong></em></p>
<ul>
<li>
<p>Enterprise ready and highly scalable as already used at scale by Microsoft</p>
</li>
<li>
<p>Adding build provenance information to the SBOM</p>
</li>
<li>
<p>Auto-detection of the underlying package manager</p>
</li>
<li>
<p>Supports namespacing separation between SBOM documents with the <code>-nsb</code> flag</p>
</li>
<li>
<p>Validating SBOMs at release using hashes and digital signatures</p>
<p><img src="https://jenkins-x.io/images/sbom-guide/microsoft-sbom.png" alt="img"></p>
<p>Fig 1: <a href="https://devblogs.microsoft.com/engineering-at-microsoft/wp-content/uploads/sites/72/2021/10/adiglio-figure-1.png">https://devblogs.microsoft.com/engineering-at-microsoft/wp-content/uploads/sites/72/2021/10/adiglio-figure-1.png</a></p>
</li>
</ul>
<p>For more information about the tool visit the GitHub <a href="https://github.com/microsoft/sbom-tool">repo</a>and refer to the documentation <a href="https://github.com/microsoft/sbom-tool/tree/main/docs">here</a></p>
<h3 id="5--tern">5- Tern</h3>
<p><em><strong>Introduction:</strong></em></p>
<p><a href="https://github.com/tern-tools/tern">Tern</a> is a VMware-originated open source inspection tool used to generate SBOMs following standard formats. It gathers metadata for the packages installed in container images and Dockerfiles. Tern starts to analyze the contents of a container (through the image itself or the Dockerfile), layer by layer, without requiring the user to have in-depth technical knowledge about how the container was built.</p>
<p><em><strong>Integration and Support:</strong></em></p>
<p>Tern itself is available as a <a href="https://github.com/marketplace/actions/tern-action">Github Action</a> but it is mainly supported to be installed as a CLI tool on Linux. With Linux installation, Tern is built with python so it requires python, pip, and jq installed mainly (more about installation <a href="https://github.com/tern-tools/tern#getting-started">here</a>). Some features like analyzing Dockerfiles and the <a href="https://automatecompliance.org/news/2020/04/23/tern-2-0-0-now-available/">lock function</a> require Docker installation in your Linux. Moreover, Tern can run as a docker container which makes it easy to use in ci systems and can be used as a workaround to run on other operating systems like Windows, and macOS. Also, this helps to deploy Tern as a Kubernetes job with a host mount to retrieve generated SBOMs.</p>
<p>For now, Tern only supports container images built using Docker using <a href="https://docs.docker.com/registry/spec/manifest-v2-2/">image manifest version 2, schema 2</a> and it will support Docker images and it is aimed to support other images that follow the OCI standards in the future.</p>
<p>For license compliance, Term doesn&rsquo;t have its file-level license analyzer. So, it allows you to extend its analysis using an external CLI tool or Python packages as extensions. An example is <a href="https://github.com/tern-tools/tern#scancode">Scancode</a> which is a CLI tool used for license compliance along with other supported integrations like <a href="https://github.com/tern-tools/tern#cve-bin-tool">cve-bin-tool</a> for vulnerability scanning.</p>
<p>Tern supports generating reports with multiple formats:</p>
<ul>
<li>Human Readable Simple format</li>
<li>JSON format</li>
<li>HTML format</li>
<li>YAML format</li>
<li>SPDX tag-value Format</li>
<li>SPDX JSON Format</li>
<li>CycloneDX JSON Format</li>
</ul>
<p><em><strong>Features and Specs:</strong></em></p>
<ul>
<li>CLI is easy to use and can be installed as a docker container which makes it suitable for CI/CD solutions</li>
<li>Multiple supported output formats which are readable for both humans and machines</li>
<li>Ability to generate SBOMs following both SPDX and CycloneDX formats</li>
<li>Support for Dockerfile locking to create more reproducible Docker images which is a unique feature supported by Tern only, view more about it <a href="https://automatecompliance.org/news/2020/04/23/tern-2-0-0-now-available/">here</a>.</li>
<li>The concept of extensions/plugins is only supported by Tern between all the previously mentioned tools. This is a great feature that is proven to extend its capabilities in the coming future and open for creativity from the open source community (this was proven before to increase the functionality and popularity of other tools like Jenkins).</li>
</ul>
<p>For more information about the tool visit the GitHub <a href="https://github.com/tern-tools/tern">repo</a> and refer to the documentation <a href="https://github.com/tern-tools/tern/tree/main/docs">here</a>.</p>
</description>
</item>
<item>
<title>Blog: Software Bill Of Materials Formats</title>
<link>https://jenkins-x.io/blog/2022/07/24/sbom-formats/</link>
<pubDate>Sun, 24 Jul 2022 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2022/07/24/sbom-formats/</guid>
<description>
<h2 id="prerequisite">Prerequisite</h2>
<p>If you don&rsquo;t understand what is Software Bill of Materials (SBOM), please read this <a href="https://jenkins-x.io/blog/2022/07/24/intro-to-sbom">blog post</a> first.</p>
<h2 id="different-sbom-formats-comparison">Different SBOM formats comparison</h2>
<p>The National Telecommunications and Information Administration (NTIA) in the U.S. defined <a href="https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom">minimum requirements for SBOM formats</a>:</p>
<ul>
<li>Identifying the supplier of the software component.</li>
<li>Identifying the details about the version of the component.</li>
<li>Including unique identifiers for the component like cryptographic hash functions.</li>
<li>Including the relationships between all dependencies inside the component.</li>
<li>Including a timestamp of when and by whom the SBOM report was created or last modified</li>
</ul>
<p>In this section, we discuss different kinds and formats for SBOM standards and make a brief comparison between them. Three commonly used standards achieved the NTIA minimum requirements for SBOM generation and each one results in a different final SBOM document.</p>
<h3 id="1---the-software-package-data-exchange-spdx">1 - The Software Package Data Exchange (SPDX)</h3>
<p><em><strong>History:</strong></em></p>
<p>SPDX is an open-source machine-readable format adopted by the Linux Foundation as an industry standard. The specifications are implemented as a file format that identifies the software components within a larger piece of computer software and fulfilling the requirements of NTIA. The SPDX project started in 2010 and was initially dedicated to solving the issues around open source licensing compliance. It evolved over the years to adhere supply chain security challenges and has seen extensive uptake by companies and projects in the software industry. Companies like Hitachi, Fujitsu, and Toshiba contributed to furthering the standard in the <a href="https://spdx.github.io/spdx-spec/">SPDX v2.2.2 specification release</a>.</p>
<p><em><strong>Specs:</strong></em></p>
<p>The <a href="https://spdx.github.io/spdx-spec/">SPDX specification</a> describes the necessary sections and fields to produce a valid SPDX document. Note that the only mandatory field in all spdx documents is the &ldquo;Document Creation Information&rdquo; section. The presence of other sections (and subset fields of each section) is dependent on your use case and the information you want to provide.</p>
<p><img src="https://jenkins-x.io/images/sbom-guide/spdx-2.2-document.png" alt="spdx-specification"></p>
<p>Fig 1: <a href="https://spdx.dev/wp-content/uploads/sites/41/2020/05/spdx-2.2-document.png">https://spdx.dev/wp-content/uploads/sites/41/2020/05/spdx-2.2-document.png</a></p>
<ul>
<li><strong>Document Creation Information</strong> – Denotes who created the document, how it was created, and other useful information related to its creation. It provides the necessary information for forward and backward compatibility for processing tools (version numbers, license for data, authors, etc. )</li>
<li><strong>Package Information</strong> – This section provides information about the “package”. A package can be one or more files. These files could be one or more files of any type including but not limited to source, documents, binaries, containers, and so forth. The package information contains the originator, where it was sourced from, a download URL, a checksum, and so forth. It also contains summary licensing for the package.</li>
<li><strong>File Information</strong> – This is information about a specific file. It can contain the file copyrights found in the file (if any), the license of the file, a checksum for the file, file contributors, and so forth.</li>
<li><strong>Snippet Information</strong> – Snippets can optionally be used when a file is known to have some content that has been included from another source. They are useful for denoting when part of a file may have been created under another licenseSnippet information can be used to define licensing for ranges within files.</li>
<li><strong>Other Licensing Information</strong> – Other licensing information provides a way to describe licenses that are not on the <a href="https://spdx.org/licenses/">SPDX License List</a>. You can create a local (to the SPDX document) identifier for the license and place the license text itself in the document as a well and then reference it for files just like you would a license from the license list.</li>
<li><strong>Relationships</strong> – Relationships were introduced in the 2.0 specification and are a very powerful way of expressing how SPDX documents relate to one another. See an example of how the SPDX represents those <a href="https://spdx.dev/resources/use/#:~:text=Packages%20and%20Relationships">here</a>.</li>
<li><strong>Annotations</strong> – Annotations are comments made by people on various entities and elements within the document. For example, someone reviewing the document may make an annotation about a file and its license. Annotations are useful for reviews of SPDX documents and for conveying specific information about the package, file, creation, license, file(s), etc.</li>
</ul>
<p>In the <a href="https://spdx.github.io/spdx-spec/">SPDX specification release 2.2.2</a>, additional output formats of JSON, YAML, and XML are supported. A diverse set of examples for SPDX are available on this <a href="https://github.com/spdx/spdx-examples">github repo</a></p>
<p>Further information on the data model and SPDX guide can be found on the <a href="https://spdx.dev/">SPDX website</a>.</p>
<hr>
<p><em><strong>Use Cases:</strong></em></p>
<ul>
<li>SBOM for software components</li>
<li>Tracking of intellectual property (licensing, copyright) of software components</li>
<li>Listing contents of a software distribution</li>
<li>Container contents inventory</li>
<li>Associating CPEs with specific packages</li>
<li>Identifying provenance of lines of code embedded in files</li>
</ul>
<p><em><strong>Key Features:</strong></em></p>
<ul>
<li>Documented artifacts can be checked using the provided hash values</li>
<li>Rich facilities for intellectual property and licensing information</li>
<li>Flexible model able to scale from snippets and files up to packages, containers, and even operating system distributions</li>
<li>Ability to add mappings to other package reference systems</li>
</ul>
<h3 id="2---software-identification-swid-tags">2 - Software Identification (SWID) Tags</h3>
<p><em><strong>History:</strong></em></p>
<p>It is a standard implemented by the National Institute of Standards and Technology (NIST) in the U.S. that was published in 2009, then revised in 2015. They were designed to provide a transparent way for organizations to track the software installed on their managed devices. Standard SWID tags are not generated at the end of certain software creation, instead, they define a lifecycle where a new SWID tag is added to an endpoint with the software installation process and is deleted with the uninstall process. When this lifecycle is followed, the presence of a given SWID Tag corresponds directly to the presence of the software product that the Tag describes.</p>
<p><img src="https://jenkins-x.io/images/sbom-guide/swid-tags-lifecycle.png" alt="swid-tag-lifecycle"></p>
<p>Fig 2: <a href="https://d3i71xaburhd42.cloudfront.net/496312d64dc77b223803a4ee1b717be8e528e86f/16-Figure1-1.png">https://d3i71xaburhd42.cloudfront.net/496312d64dc77b223803a4ee1b717be8e528e86f/16-Figure1-1.png</a></p>
<p>Note that the present SWID tags change depending on the current state of the software.</p>
<p><em><strong>Specs:</strong></em></p>
<p>The <a href="https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf">NISTIR 8060</a> Guideline identifies the standards of SWID tags and the components of each tag. We here go over the necessary types mentioned in the figure above. To capture the lifecycle of a software component, the SWID specification defines four types of SWID tags: primary, patch, corpus, and supplemental</p>
<ul>
<li><strong>Corpus Tag</strong> – A SWID Tag that identifies and describes an installable software product in its pre-installation state. A corpus tag can be used to represent metadata about an
installation package or installer for a software product, a software update, or a patch.</li>
<li><strong>Primary Tag</strong> – A SWID Tag that identifies and describes a software product installed
on a computing device.</li>
<li><strong>Supplemental Tag</strong> – A SWID Tag that allows additional information to be associated with any referenced SWID tag. This helps to ensure that SWID Primary and Patch Tags
provided by a software provider are not modified by software management tools while
allowing these tools to provide their software metadata.</li>
<li><strong>Patch Information</strong> – A SWID Tag that identifies and describes an installed patch that has made incremental changes to a software product installed on a computing device.</li>
</ul>
<p><strong>Note</strong> that Corpus, primary, and patch tags have similar functions in that they describe the existence and/or presence of different types of software (e.g., software installers, software installations, software patches), and, potentially, different states of software products. In contrast, supplemental tags furnish additional information not contained in the corpus, primary, or patch tags.</p>
<p>SWID tags are mainly implemented in XML format while JSON format is under development. Some tag examples can be found <a href="https://www.adelton.com/docs/security/minting-collecting-swid-tags">here</a></p>
<p><em><strong>Use Cases:</strong></em></p>
<ul>
<li>SBOM for software components</li>
<li>Continuous monitoring of installed software inventory</li>
<li>Identifying vulnerable software on endpoints</li>
<li>Ensuring that installed software is properly patched</li>
<li>Preventing installation of unauthorized or corrupted software</li>
<li>Preventing the execution of corrupted software</li>
<li>Managing software entitlements</li>
</ul>
<p><em><strong>Key Features:</strong></em></p>
<ul>
<li>Provides stable software identifiers created at build time</li>
<li>Standardizes software information that can be exchanged between software providers and consumers as part of the software installation process</li>
<li>Enables the correlation of information related to software including related patches or updates, configuration settings, security policies, and vulnerability and threat advisories.</li>
</ul>
<h3 id="3---cyclonedx">3 - CycloneDX</h3>
<p><em><strong>History:</strong></em></p>
<p>CycloneDX is a lightweight SBOM standard designed for use in application security context and supply chain component analysis as it was originally intended to identify vulnerabilities and supply chain component analysis. It also supports checking for licensing compliance. The CycloneDX project was initiated in 2017 in the <a href="https://owasp.org/">OWASP</a>community, then it became a dedicated open source project and included other working groups from <a href="https://www.sonatype.com/">Sonatype</a>and <a href="https://www.servicenow.com/">ServiceNow</a>. Supported file formats for CycloneDX are (XML, JSON, and protocol buffers)</p>
<p><em><strong>Specs:</strong></em></p>
<p>CycloneDX provides schemas for both XML and JSON, defining a format for describing simple and complex compositions of software components. It&rsquo;s designed to be flexible, and easily adaptable, with implementations for popular build systems. The specification encourages the use of ecosystem-native naming conventions and supports SPDX license IDs and expressions, pedigree, and external references. It also natively supports the Package URL specification and correlating components to CPEs. The CycloneDX object model is defined in the figure.</p>
<p align="center" width="100%">
<img src="https://jenkins-x.io/images/sbom-guide/cyclonedx-high-level-object-model-small.svg" width="480" height="320">
</p>
<br/>
<br/>
<p>Fig 3: <a href="https://cyclonedx.org/theme/assets/images/high-level-object-model-small.svg">https://cyclonedx.org/theme/assets/images/high-level-object-model-small.svg</a></p>
<ul>
<li><strong>BOM Metadata Information</strong> – BOM metadata includes the supplier, manufacturer, and the target component for which the BOM describes. It also includes the tools used to create the BOM, and license information for the BOM document itself.</li>
<li><strong>Components Information</strong> – Components describe the complete inventory of first-party and third-party components. Component identity can be represented as:
&ndash; Coordinates (group, name, version)
&ndash; Package URL
&ndash; Common Platform Enumerations (CPE)
&ndash; SWID
&ndash; Cryptographic hash functions (SHA-1, SHA-2, SHA-3, BLAKE2b, BLAKE3)</li>
<li><strong>Services Information</strong> – Services describe external APIs that the software may call. Services describe endpoint URIs, authentication requirements, and trust boundary traversals. The flow of data between software and services can also be described including the data classifications and the flow direction of each type.</li>
<li><strong>Dependency Relationships</strong> – CycloneDX provides the ability to describe components and their dependency on other components. The dependency graph is capable of representing both direct and transitive relationships. Components that depend on services can be represented in the dependency graph and services that depend on other services can be represented as well.</li>
<li><strong>Compositions</strong> – Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The aggregate of each composition can be described as complete, incomplete, incomplete first-party only, incomplete third-party only, or unknown.</li>
<li><strong>Vulnerabilities</strong> – Known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.</li>
<li><strong>Extensions</strong> – Multiple extension points exist throughout the CycloneDX object model allowing fast prototyping of new capabilities and support for specialized and future use cases. The CycloneDX project maintains extensions that are beneficial to the larger community. The project encourages community participation and the development of extensions that target specialized or industry-specific use cases.</li>
</ul>
<p><em><strong>Use Cases:</strong></em></p>
<ul>
<li>Inventory of all software components.</li>
<li>Identifying known vulnerabilities.</li>
<li>Integrity verification using the hash functions.</li>
<li>Authenticity of the software components using a digital signature.</li>
<li>License compliance</li>
<li>Provenance</li>
</ul>
<h2 id="generate-sboms-manually-definitely-not">Generate SBOMs manually? definitely not</h2>
<p>SBOMs are frequently updated with each release of the software, so we need tools and packages to be integrated with our ci/cd pipeline. We talk about this <a href="https://jenkins-x.io/blog/2022/07/24/sbom-tools">here</a></p>
</description>
</item>
<item>
<title>Blog: Introduction to Software Bill Of Materials</title>
<link>https://jenkins-x.io/blog/2022/07/24/intro-to-sbom/</link>
<pubDate>Sun, 24 Jul 2022 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2022/07/24/intro-to-sbom/</guid>
<description>
<h2 id="introduction">Introduction</h2>
<p>Before going through Software Bill Of Materials (SBOMs), we need to set the ground for a rising concern in the software industry which is Software Supply Chain Security.
Like traditional industries, deploying a piece of a software artifact goes through multiple stages composed of collecting source code components, libraries, tools, and processes used in those stages.</p>
<p><img src="https://jenkins-x.io/images/sbom-guide/supply-chain.png" alt="comparing the different steps in a real world supply chain with software supply chain"></p>
<p>Fig. 1 <a href="https://blog.convisoappsec.com/en/is-your-software-supply-chain-secure/">https://blog.convisoappsec.com/en/is-your-software-supply-chain-secure/</a></p>
<p>A supply chain attack can occur along the chain from submitting unauthorized malicious code in your source, unauthorized injection of harmful dependencies, and even replacing packages after being built with other compromised artifacts.
A more detailed explanation about those types of attacks is <a href="https://slsa.dev/spec/v0.1/threats">here</a></p>
<p>Due to its importance and being a critical issue, generating SBOM for your software adds another layer of protection to this threat.</p>
<h2 id="definition-what-is-sbom">Definition: What is SBOM?</h2>
<p>As far as we know, developers around the world are building web applications using hundreds of third-party open-source libraries and packages. You can confidently tell that 90% of the software products around the world are built over open-source components. With that in mind, we need to keep track of using these dependencies while building our applications. What if there are vulnerabilities in the libraries we use? How to efficiently protect ourselves against it?.</p>
<p><strong><a href="https://en.wikipedia.org/wiki/Software_supply_chain#:~:text=Software%20vendors%20often,could%20harm%20them.">Software Bill Of Materials</a></strong> (SBOM) is a complete formally structured list of the materials (components, packages, libraries, SDK) used to build (i.e. compile, link) a given piece of software and the supply chain relationships between all these materials.</p>
<p>It is an inventory of all the components developers used to make this software. It has many formats and many generating tools but all have the same purpose in the end.
<em><strong>Example: a simple formatted SBOM of Ubuntu alpine docker image using <a href="https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/">syft</a></strong></em></p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>✔ Loaded image
</span></span><span style="display:flex;"><span> ✔ Parsed image
</span></span><span style="display:flex;"><span> ✔ Cataloged packages <span style="color:#f92672">[</span><span style="color:#ae81ff">14</span> packages<span style="color:#f92672">]</span>
</span></span><span style="display:flex;"><span>NAME VERSION TYPE
</span></span><span style="display:flex;"><span>alpine-baselayout 3.2.0-r18 apk
</span></span><span style="display:flex;"><span>alpine-keys 2.4-r1 apk
</span></span><span style="display:flex;"><span>apk-tools 2.12.7-r3 apk
</span></span><span style="display:flex;"><span>busybox 1.34.1-r3 apk
</span></span><span style="display:flex;"><span>ca-certificates-bundle 20191127-r7 apk
</span></span><span style="display:flex;"><span>libc-utils 0.7.2-r3 apk
</span></span><span style="display:flex;"><span>libcrypto1.1 1.1.1l-r7 apk
</span></span><span style="display:flex;"><span>libretls 3.3.4-r2 apk
</span></span><span style="display:flex;"><span>libssl1.1 1.1.1l-r7 apk
</span></span><span style="display:flex;"><span>musl 1.2.2-r7 apk
</span></span><span style="display:flex;"><span>musl-utils 1.2.2-r7 apk
</span></span><span style="display:flex;"><span>scanelf 1.3.3-r0 apk
</span></span><span style="display:flex;"><span>ssl_client 1.34.1-r3 apk
</span></span><span style="display:flex;"><span>zlib 1.2.11-r3 apk
</span></span></code></pre></div><p>Here it shows only softwares included in the final layer of the container (default choice by syft). If we want to view a detailed SBOM with one detailed format, we can run <code>syft alpine -o spdx-json</code>. This will view the output as <code>.json</code> file following the <code>spdx</code> format (will discuss that later)</p>
<h2 id="use-cases-in-supply-chain-security">Use cases in Supply chain security</h2>
<p>What makes a supply chain attack susceptible is the lack of transparency and visibility about whether the software gets affected by a recent exploit or not. This greatly affects both producers and customers of the product.</p>
<p>On the user&rsquo;s side if they know the components of the software and that there is one component affected by certain vulnerabilities, they are better aware and ready to protect against potential attacks. This is crucial in many cases, especially with open-source tools.</p>
<p>On the software producer&rsquo;s side, it happens a lot that they are not fully aware of all the third parties used inside the project, and in turn, they can not track vulnerabilities in the system that could pose a threat. Cases like the <a href="https://snyk.io/blog/log4shell-in-a-nutshell/">Log4Shell</a> vulnerability are an example of a component (in this case, a logging library) that many producers never bothered to check because it isn&rsquo;t a direct software dependency, but rather a transitive one that is depended upon by other components.</p>
<p>SBOM can also be useful in licensing and legal issues with some formats. SPDX (Software Package Data Exchange) standard for SBOM identifies the licenses of the used components and can be checked for compliance later.</p>
<p>Next, we view the different standards and formats for SBOMs and the specifications of each one. See them <a href="https://jenkins-x.io/blog/2022/07/24/sbom-formats">here</a></p>
</description>
</item>
<item>
<title>Blog: Migrate to Google Artifact Registry</title>
<link>https://jenkins-x.io/blog/2024/05/06/migrating-artifact-registry/</link>
<pubDate>Mon, 06 May 2024 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2024/05/06/migrating-artifact-registry/</guid>
<description>
<p>Google has announced that <a href="https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr">container registry will be shut down some time after March 18, 2025</a>. For GKE clusters created with version 1.12.0 or later of <a href="https://github.com/jenkins-x/terraform-google-jx">terraform-google-jx</a> it&rsquo;s unlikely that anything needs to be done, but for older clusters you should upgrade your cluster while considering <a href="https://github.com/jenkins-x/terraform-google-jx#migration-from-container-to-artifact-registry">our advice regarding migration from container registry to artifact registry</a>.</p>
<p>If you are using a Google Service Account to run terraform you need to add the role requirement roles/artifactregistry.admin. See our guide regarding <a href="https://jenkins-x.io/v3/admin/platforms/google/svc_acct/">Google Service Account</a> for details.</p>
</description>
</item>
<item>
<title>Blog: Improve your changelogs</title>
<link>https://jenkins-x.io/blog/2023/05/24/propagate-changelogs/</link>
<pubDate>Wed, 24 May 2023 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2023/05/24/propagate-changelogs/</guid>
<description>
<h2 id="background">Background</h2>
<p>A standard part of the Jenkins X pipelines since a long time is the execution of <code>jx changelog create</code> that takes the
commit messages between the release currently being created and the previous one and creates a change log from these.
The change log is then stored as a release note in GitHub or other git provider.</p>
<p>During the last year some improvements have landed in various Jenkins X components to improve the changelogs and
their usefulness. So I&rsquo;ll take this opportunity to describe these improvements and also in general give hints to how
to get useful changelogs.</p>
<h2 id="overview-of-major-improvements">Overview of major improvements</h2>
<p>Changelogs haven&rsquo;t been very informative with regard to upgrades, ie those applied with <code>jx promote</code> or <code>jx updatebot</code>. One example of this is <a href="https://github.com/jenkins-x/jx/releases">the release notes of jx</a> after the
split out of most functionality to plugins. Lately these have improved due to new functionality to propagate
changelogs via pull requests.</p>
<p>One place where changelogs have been completely lacking is in cluster repositories. But using the functionality for
propagation of changelogs and some changes in jx boot job you can now a get a changelog for every successful
application of changes in a cluster.</p>
<h2 id="example">Example</h2>
<p>An example of what this functionality achieves can be seen in a release of jx:</p>
<p><a href="https://github.com/jenkins-x/jx/releases/tag/v3.10.81">https://github.com/jenkins-x/jx/releases/tag/v3.10.81</a></p>
<p>If you scroll past the boilerplate installation instructions you first see the changelog of jx itself generated
from commit messages: <a href="https://github.com/jenkins-x/jx/compare/v3.10.80...v3.10.81">https://github.com/jenkins-x/jx/compare/v3.10.80...v3.10.81</a></p>
<p>Then there is a separator followed by the changelog of jx-gitops. If you look in the commit messages referred to above
you will see a link to the pull request on jx for this upgrade: <a href="https://github.com/jenkins-x/jx/pull/8564">https://github.com/jenkins-x/jx/pull/8564</a>. As you can
see this pull request includes the changelog for version 0.14.8 of jx-gitops as generated by <code>jx changelog create</code>.</p>
<p>Essentially what happens is that <code>jx changelog create</code> apart from storing the release information of jx-gitops also stores it
in a file. This file is then put in the pull request on jx by <code>jx updatebot</code>. Finally <code>jx changelog create</code> looks
for changelogs in the pull requests referred to in the merge commit.</p>
<h2 id="how-to-write-commit-messages">How to write commit messages</h2>
<p>To get a good changelog the first requisite is to write good commit messages. <code>jx changelog create</code> expects commit
messages to adhere to the <a href="https://www.conventionalcommits.org/">Conventional commits</a> standard.
It is the first line of each commit message that is used, with a couple of exceptions I&rsquo;ll describe below.</p>
<p>When following this standard the first line should adhere to this format:</p>
<p><code>&lt;type&gt;[optional scope]: &lt;description&gt;</code></p>
<p>While <code>jx changelog create</code> can handle any type some will be expanded for a better looking changelog:</p>
<ul>
<li><code>feat</code>: New Features</li>
<li><code>fix</code>: Bug Fixes</li>
<li><code>perf</code>: Performance Improvements</li>
<li><code>refactor</code>: Code Refactoring</li>
<li><code>docs</code>: Documentation</li>
<li><code>test</code>: Tests</li>
<li><code>revert</code>: Reverts</li>
<li><code>style</code>: Styles</li>
</ul>
<p>Since the description is used verbatim in the changelog it should be meaningful to the audience of the changelog. Is
for example <code>fixed typo</code> meaningful? Maybe it is better to write what you try to achieve. While doing this it is
good to know that duplicate descriptions are ignored by changelog. So if you add the same description again when
doing a fix doesn&rsquo;t mean that you get duplicate lines in the changelog.</p>
<p>An optional scope is prefixed to the description in the changelog.</p>
<p>The other common part of the commit message that is reflected in the changelog are references to issues. These can
be put anywhere in the commit message. These issues are then linked to both for the specific commit and in a
separate list of affected issues.</p>
<p>An example:</p>
<pre tabindex="0"><code>feat: support dependency updates
fixed typo
relates to #1234
</code></pre><p>A less common part of a commit message that affects the changelog regards breaking changes. A footer to a commit
message of the format <code>BREAKING CHANGE: &lt;description&gt;</code> can be added and this description will be put at the top of
the changelog under the heading BREAKING CHANGES. If you add an exclamation mark before the colon in the first line
without the breaking change footer the ordinary description will be put under this heading.</p>
<p>A couple of examples regarding braking changes:</p>
<pre tabindex="0"><code>fix: upgraded library foo
BREAKING CHANGE: don&#39;t support http anymore
#98765
</code></pre><pre tabindex="0"><code>fix!: removed insecure method fubar
resolves #56789
</code></pre><p>Good to know is that <a href="https://github.com/jenkins-x-plugins/jx-release-version"><code>jx release version</code></a> also conforms
to Conventional Commits so the commit messages also affects which part of the semantic version is increased for a
release.</p>
<p>There are of course other uses of good commit messages than to generate changelogs. While code itself together with
comments should be self-explanatory with regard to what is done and how I often resort to commit messages to
understand why a change was made. I typically use the git blame functionality for this. This is another reason to
not use messages only saying something like <code>fixed typo</code>, since that typically isn&rsquo;t a useful answer to the question
of why for a future developer.</p>
<p>For more tips regarding writing good commit messages see for example
<a href="https://www.freecodecamp.org/news/how-to-write-better-git-commit-messages/">How to Write Better Git Commit Messages</a>.</p>
<h2 id="manually-edit-changelog">Manually edit changelog</h2>
<p>Note that since changelogs for dependencies are propagated through pull requests you can edit the changelog for an
application manually in the pull request before it is merged.</p>
<h2 id="configuration">Configuration</h2>
<p>Some of the features described above work out-of-the-box while others require some tweaking.</p>
<h3 id="changelog-for-cluster-repository">Changelog for cluster repository</h3>
<p>Apart from the other advantages of switching from <code>kubectl apply</code> to <code>kpt live apply</code> for reconciliation of cluster
repository with the cluster you also get a changelog generated for each successful reconciliation.</p>
<p>This changelog also includes a list of upgraded / added / deleted releases and the associated versions.</p>
<p>See a <a href="https://jenkins-x.io/blog/2023/03/09/kpt-live-apply/">previous blogpost</a> for more information.</p>
<h3 id="reuse-pull-requests">Reuse pull requests</h3>
<p>With the default settings one pitfall with the propagating the changelog via pull requests is if not all pull
requests are merged. Let&rsquo;s say version 1.0.0 of an application is released and pull request with a big changelog is
created for the production namespace. But before it is merged an error is detected and version 1.0.1 is
released and a PR for the version is created which only includes the changelog for the bug fix. When that PR is
merged only the changelog for the bug fix ends up in the changelog for the cluster.</p>
<p>To mitigate this you can enable reuse of pull requests. This means that if a PR for upgrading a dependency already
exists when executing <code>jx promote</code> or <code>jx updatebot</code> the commits for that PR are replaced with one for the new
upgrade. The existing changelog in the PR is kept though and the changelog for the new version is appended. This way
no changelog is missed.</p>
<p>Enabling reuse of pull requests for <code>jx promote</code> is done in <code>jx-requirements.yaml</code> by setting <code>reusePullRequest</code> to
<code>true</code> for an environment. It can also be done in the same way when configuring environments others ways. See
<a href="https://jenkins-x.io/v3/develop/environments/config/">https://jenkins-x.io/v3/develop/environments/config/</a> for more details about configuring environments.</p>
<p>More information about reuse of pull requests in a future blog post.</p>
<h3 id="custom-pipelines">Custom pipelines</h3>
<p>In the pipelines defined in <a href="https://github.com/jenkins-x/jx3-pipeline-catalog/">https://github.com/jenkins-x/jx3-pipeline-catalog/</a> the necessary incantations of <code>jx changelog</code>, <code>jx promote</code> and <code>jx updatebot</code> are made for promoting changelogs. But if you have a custom release
pipeline you might need to do some modifications. In particular <code>jx changelog create</code> need to save the changelog to a file.
This is done by adding an argument like <code>--output-markdown=../changelog.md</code>. To have this changelog added to the PR
the option <code>--add-changelog=../changelog.md</code> needs to be added to <code>jx promote</code> (or <code>jx updatebot</code> if applicable).</p>
<h3 id="jira-as-issue-tracker">Jira as issue tracker</h3>
<p>In the examples of commit messages above the references to issues are to the git provider. This is the default, so
if you for example are using GitHub as your git provider and also use the issue tracker in GitHub no extra
configuration is needed.</p>
<p>But there also is support for Jira as issue tracker. If you enable this support you can refer to issues both at the git
provider and in Jira.</p>
<p>You enable Jira support and configure it in the jx-requirements.yaml of the cluster repository. The
<code>issueProvider</code> field is added under <code>spec.cluster</code>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-diff" data-lang="diff"><span style="display:flex;"><span><span style="color:#75715e">@@ -13,5 +13,9 @@ spec:
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> gitKind: github
</span></span><span style="display:flex;"><span> gitName: github
</span></span><span style="display:flex;"><span> gitServer: https://github.com
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">+ issueProvider:
</span></span></span><span style="display:flex;"><span><span style="color:#a6e22e">+ jira:
</span></span></span><span style="display:flex;"><span><span style="color:#a6e22e">+ serverUrl: https://myjira.atlassian.net
</span></span></span><span style="display:flex;"><span><span style="color:#a6e22e">+ userName: jirauser@example.com
</span></span></span><span style="display:flex;"><span><span style="color:#a6e22e"></span> project: &#34;123456789&#34;
</span></span><span style="display:flex;"><span> provider: eks
</span></span></code></pre></div><p>For security reasons the credentials for the user that will fetch data from Jira is not put there. Instead <code>jx changelog</code> expects it in the environment variable <code>JIRA_API_TOKEN</code>. The easiest way to supply this environment
variable is by adding it to the secret <code>jx-boot-job-env-vars</code> in namespace <code>jx</code> since the content av this secret are
exposed as environment variables to all standard build pipelines. If the secret doesn&rsquo;t exist you can create it
yourself like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># lets make sure we are in the jx-git-operator namespace</span>
</span></span><span style="display:flex;"><span>jx ns jx-git-operator
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>kubectl create secret generic jx-boot-job-env-vars --from-literal<span style="color:#f92672">=</span>JIRA_API_TOKEN<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;S!B*d$zDsb&#39;</span>
</span></span></code></pre></div><p>The <a href="https://github.com/jenkins-x/terraform-aws-eks-jx">Terraform module for Jenkins X in EKS</a> also have support for
adding variables to <code>jx-boot-job-env-vars</code>.</p>
<h3 id="more-customizations">More customizations</h3>
<p>In the <a href="https://jenkins-x.io/v3/develop/reference/jx/changelog/create/">documentations</a> for <code>jx changelog create</code> information about more customisations can be found.</p>
<h2 id="references">References</h2>
<p><a href="https://github.com/jenkins-x/enhancements/tree/master/proposals/propagate-changelogs">The enhancement proposal for propagation of changelogs</a></p>
</description>
</item>
<item>
<title>Blog: Reconcile with kpt live apply</title>
<link>https://jenkins-x.io/blog/2023/03/09/kpt-live-apply/</link>
<pubDate>Thu, 09 Mar 2023 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2023/03/09/kpt-live-apply/</guid>
<description>
<p>Since the dawn of Jenkins X 3 the default last step of reconciling the state of the files in your cluster repository to
your cluster has been to execute <code>kubectl apply</code>. You can find more details about this
<a href="https://jenkins-x.io/v3/about/how-it-works/#boot-job">here</a>.</p>
<p>There are some drawbacks with <code>kubectl apply</code> though. The one that made me start looking for alternatives was that if
you remove a resource from your cluster repository it may not be removed from your cluster. The way deletion works with
<code>kubectl apply</code> is that it is handed the option <code>--prune</code> which will remove resources that are not in the manifests.
Except that it doesn&rsquo;t always work as expected. It will only remove certain kinds of resources
<a href="https://github.com/kubernetes/kubernetes/blob/4e800983fb8da4a5960a58ad9b380484770647d1/staging/src/k8s.io/kubectl/pkg/util/prune/prune.go#L28-L44">defined in kubectl</a>.
In my case I removed an HorizontalPodAutoscaler from my cluster repository, but it wasn&rsquo;t removed from my cluster.</p>
<p>When trying to find a solution to this I first tried to override this default list in kubectl of things to prune, but
this turned out to be difficult in the general case. I also tried the already existing alternative of using <code>kapp</code> to
apply the manifests, but I couldn&rsquo;t get that to work. Looking for other options I settled for <code>kpt live apply</code>.</p>
<h2 id="configuration">Configuration</h2>
<div class="alert alert-warning" role="alert">
For all the functionality described here to work you need to have a cluster that is
<a href="https://jenkins-x.io/v3/admin/setup/upgrades/cluster/">upgraded</a> later than January 24th 2023.
</div>
<p>You enable the use of <code>kpt live apply</code> by adding</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-make" data-lang="make"><span style="display:flex;"><span>KUBEAPPLY <span style="color:#f92672">=</span> kpt-apply
</span></span></code></pre></div><p>to the <code>Makefile</code> of your cluster repository anywhere before <code>include versionStream/src/Makefile.mk</code>. This works both
in a dev cluster and in a <a href="https://jenkins-x.io/v3/admin/guides/multi-cluster/multi-cluster/">remote cluster</a>.
(With the caveat that all bets are off if you have done changes yourself to <code>versionStream/src/Makefile.mk</code>.)</p>
<p>After you have pushed this you can watch the log of the boot job using <code>jx admin log</code> as usual. When <code>kpt live apply</code> has been executed the first time you can optionally add let <code>kpt live apply --dry-run</code> be executed for
pull requests, giving a better assurance that the content of a pull request will apply nicely. But this only work
properly for pull requests to the dev cluster, since it&rsquo;s in the dev cluster the pull request pipeline will execute.
So in a remote clusters this should not be enabled. That said this functionality can be enabled by adding</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-make" data-lang="make"><span style="display:flex;"><span>PR_LINT <span style="color:#f92672">=</span> kpt-apply-dry-run
</span></span></code></pre></div><p>to the <code>Makefile</code> of your cluster repository.</p>
<h2 id="waiting-for-resources-to-be-reconciled">Waiting for resources to be reconciled</h2>
<p>While the fact that I can be sure that removed resource actually are gone is the killer feature of <code>kpt live apply</code>
for me the opposite is true as well. With this I mean that <code>kpt live apply</code>(and as a consequence) the boot job won&rsquo;t
succeed unless all resources are verified to have been applied. This includes for example that the rollout of new
applications versions with deployments have succeeded.</p>
<p>This can be seen as a problem though: the default is that <code>kpt live apply</code> tries for 15 minutes before timing out
with an error. But since the boot job is normal k8s job the job controller will create new pods on failure up to
the backoff limit, that is set to <strong>4</strong>. This can block the application of subsequent changes to the cluster repo.</p>
<h2 id="tagging-and-release-notes">Tagging and release notes</h2>
<p>When activating <code>kpt live apply</code> you will also see that tags are added to the cluster repository upon successful
application of changes. These tags can have 3 prefixes:</p>
<ul>
<li><code>crd</code> for custom resource definitions</li>
<li><code>cluster</code> for cluster wide resources</li>
<li><code>ns</code> for namespaced resources (the most common)</li>
</ul>
<p>For <code>ns</code> tags release notes will also be generated and added to the git provider (for example GitHub). This means
that you can see what has changed in your cluster by looking at the releases of the cluster repository.</p>
<p>One handy use of this is that you can get a notification from GitHub when changes has been successfully deployed by
going to the <strong>Watch</strong> menu for the repo, select <strong>Custom</strong> and check <strong>Releases</strong>. If you get the notification by email or on the
GitHub site depends on the notification settings for your GitHub account.</p>
<p>This functionality can be further customized by adding scripts to the <code>extensions</code> directory of your cluster repository.</p>
<ul>
<li><code>crd-reconciled</code> will be executed after a <code>crd</code> tag has been added</li>
<li><code>cluster-reconciled</code> will be executed after a <code>cluster</code> tag has been added</li>
<li><code>ns-reconciled</code> will be executed after a <code>ns</code> tag has been added</li>
</ul>
<p>The default behaviour is equivalent to adding the following script as <code>ns-reconciled</code>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">#!/bin/sh
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>
</span></span><span style="display:flex;"><span>jx changelog create --tag-prefix ns-
</span></span></code></pre></div><p>Here is a somewhat hacky variety that sends out a mail with the release notes similarly to what you can
subscribe to for yourself:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">#!/bin/sh
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>set -xe
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>jx changelog create --tag-prefix ns-
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>token<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get secret jx-boot -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.data[&#39;password&#39;]}&#34;</span> | base64 -d<span style="color:#66d9ef">)</span>
</span></span><span style="display:flex;"><span>repourl<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get secret jx-boot -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.data[&#39;url&#39;]}&#34;</span> | base64 -d<span style="color:#66d9ef">)</span>
</span></span><span style="display:flex;"><span>owner<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>echo $repourl | cut -d/ -f4<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span>
</span></span><span style="display:flex;"><span>repo<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>echo $repourl | cut -d/ -f5 | cut -d. -f1<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#f92672">(</span>
</span></span><span style="display:flex;"><span>cat <span style="color:#e6db74">&lt;&lt;EOF
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">to: changelog@example.com
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">From: dev@example.com
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">MIME-Version: 1.0
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Return-Path: &lt;&gt;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Precedence: Bulk
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Content-Type: text/html; charset=utf-8
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Subject: Deploy to kubernetes cluster
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&lt;html&gt;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&lt;body&gt;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&lt;h1&gt;Deploy to kubernetes cluster&lt;/h1&gt;
</span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOF</span>
</span></span><span style="display:flex;"><span>curl -s -H <span style="color:#e6db74">&#34;Authorization: Bearer </span>$token<span style="color:#e6db74">&#34;</span> https://api.github.com/graphql -X POST -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;query { repository(owner:\&#34;&#39;</span>$owner<span style="color:#e6db74">&#39;\&#34;, name:\&#34;&#39;</span>$repo<span style="color:#e6db74">&#39;\&#34;) { release(tagName: \&#34;ns-&#39;</span><span style="color:#e6db74">${</span>TS<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;\&#34;) { descriptionHTML }}}&#34;}&#39;</span> | yq .data.repository.release.descriptionHTML
</span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;&lt;/body&gt;&lt;/html&gt;&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#f92672">)</span> | sendmail -t -S smtp.example.com
</span></span></code></pre></div><p>To adapt for your own use, the minimal changes would be to find and replace the smtp server and mail addresses now
added for the domain <strong>example.com</strong>. Don&rsquo;t forget to make the script executable with <code>chmod +x ns-reconciled</code>.</p>
</description>
</item>
<item>
<title>Blog: Foreign aliases</title>
<link>https://jenkins-x.io/blog/2023/02/09/foreign-aliases/</link>
<pubDate>Thu, 09 Feb 2023 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2023/02/09/foreign-aliases/</guid>
<description>
<h2 id="background">Background</h2>
<p>In an organisation with many repositories and developers that are frequently shifting the maintenance of OWNERS and
OWNERS_ALIASES files can be tedious. In the passing year a couple of functionalities has been added to help
with this.</p>
<h2 id="foreign-aliases">Foreign aliases</h2>
<p>To avoid maintaining the OWNERS_ALIASES file in many repositories you can now refer to the OWNERS_ALIASES file in
another repository. In the Jenkins X project we have the main OWNERS_ALIASES file in the
<a href="https://github.com/jenkins-x/jx-community">jx-community</a> repository. So in the <a href="http://github.com/jenkins-x/jx">jx</a> repository
the OWNERS_ALIASES file only looks like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">foreignAliases</span>:
</span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">jx-community</span>
</span></span></code></pre></div><p>The organisation defaults to be the same as for the repository, but can specify as well. So in the
<a href="https://github.com/jenkins-x-plugins/jx-project">jx-project</a> repository the OWNERS_ALIASES file looks like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">foreignAliases</span>:
</span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">jx-community</span>
</span></span><span style="display:flex;"><span> <span style="color:#f92672">org</span>: <span style="color:#ae81ff">jenkins-x</span>
</span></span></code></pre></div><p>Using the filed <code>ref</code> you can also specify a branch or tag to use instead of the default one of the repository.</p>
<h2 id="owners-and-owners_aliases-in-new-repositories">OWNERS and OWNERS_ALIASES in new repositories</h2>
<p>When creating or importing a repository using <code>jx project</code> the default content of OWNERS and OWNERS_ALIASES isn&rsquo;t
that useful since only the current user are put in the files.</p>
<p>If you <a href="https://jenkins-x.io/v3/about/extending/#quickstarts">create your own quickstarts</a> you place the OWNERS and
/ or OWNERS_ALIASES files with the content of your liking in those.</p>
<p>A recent new functionality is that you can put OWNERS and / or OWNERS_ALIASES files in the <code>extensions</code> directory of
your cluster repository. These files will then be used as the default content of the files in new repositories.</p>
</description>
</item>
<item>
<title>Blog: Project ideas for Google Summer of Code 2023 ☀️</title>
<link>https://jenkins-x.io/blog/2023/02/06/gsoc2023-ideas/</link>
<pubDate>Mon, 06 Feb 2023 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2023/02/06/gsoc2023-ideas/</guid>
<description>
<p>We have put together some project ideas as part of our application to participate in the Google Summer of Code 2023 program.</p>
<h3 id="1-cd-events-integration-with-jenkins-x">1. CD events integration with Jenkins X</h3>
<h5 id="description">Description</h5>
<p>The cdEvents project standardises the way systems talk to each other, which enables Interoperability between systems so they speak a common language through the cdEvents spec in the event. Creating a capability in Jenkins X that can receive and sent a cdEvent would benefit the project and the DevOps ecosystem in general, by stopping glue code used to integrate systems and power innovation by letting end users swap out tools with no effort.</p>
<h5 id="expected-outcomes">Expected Outcomes</h5>
<ul>
<li>Ability to receive cdEvents</li>
<li>Ability to parse cdEvents so Jenkins X understands them</li>
<li>Ability to send cdEvents</li>
</ul>
<h5 id="recommended-skills">Recommended skills</h5>
<p>Jenkins X, Kubernetes, golang, cdEvents</p>
<h5 id="mentors">Mentors</h5>
<ul>
<li><a href="https://github.com/bradmccoydev">Brad McCoy</a></li>
</ul>
<h5 id="resources">Resources</h5>
<ul>
<li><a href="https://cloudevents.io/">https://cloudevents.io/</a></li>
<li><a href="https://www.youtube.com/watch?v=yg7RuDWHwV8">https://www.youtube.com/watch?v=yg7RuDWHwV8</a></li>
<li><a href="https://www.jenkins.io/projects/gsoc/2021/projects/cloudevents-plugin/">https://www.jenkins.io/projects/gsoc/2021/projects/cloudevents-plugin/</a></li>
<li><a href="https://cdevents.dev/">https://cdevents.dev/</a></li>
<li><a href="https://github.com/jenkins-x/lighthouse">https://github.com/jenkins-x/lighthouse</a></li>
</ul>
<h5 id="expected-size-of-project">Expected Size of project</h5>
<p>350 hours</p>
<h5 id="difficulty-rating">Difficulty rating</h5>
<p>Hard</p>
<h3 id="2-implement-drift-detection-gitops">2. Implement drift detection (gitops)</h3>
<h5 id="description-1">Description</h5>
<p>Jenkins X only applies changes to cluster when contents of the gitops repository changes as part of a git pull request or git commit. This does not satisfy one of the requirements of the gitops model where we need continuous reconciliation. It would be nice to detect drift between the current state (kubernetes) and the desired state (git) and apply only those changes. This has the side effect of making the boot job faster.</p>
<p>Also, our bootjob is made up of a makefile which calls cli commands written in golang, instead it would be desirable to move to a controller based approach similar to other tools in the kubernetes ecosystem.</p>
<h5 id="expected-outcomes-1">Expected Outcomes</h5>
<ul>
<li>Drift detection in Jenkins X</li>
<li>Configurable interval when Jenkins X will do a drift detection and apply the changes</li>
<li>Updated documentation</li>
</ul>
<h5 id="recommended-skills-1">Recommended skills</h5>
<p>Kubernetes, golang, Jenkins X, kubebuiler, basic understanding of gitops.</p>
<h5 id="mentors-1">Mentors</h5>
<ul>
<li><a href="https://github.com/ankitm123">Ankit D Mohapatra</a></li>
<li><a href="https://github.com/rajatgupta24">Rajat Gupta</a></li>
</ul>
<h5 id="resources-1">Resources</h5>
<ul>
<li><a href="https://opengitops.dev/">https://opengitops.dev/</a></li>
<li><a href="https://book.kubebuilder.io/">https://book.kubebuilder.io/</a></li>
</ul>
<h5 id="expected-size-of-project-1">Expected Size of project</h5>
<p>350 hours</p>
<h5 id="difficulty-rating-1">Difficulty rating</h5>
<p>Hard</p>
<h3 id="3-rbac-role-based-access-control-in-jenkins-x-ui">3. RBAC (Role Based Access Control) in Jenkins X UI</h3>
<h5 id="description-2">Description</h5>
<p>In the last GSoC project, we created a modern UI which has more functionalities than the older viewer UI.
However, as we added the ability to start/stop pipelines from the new UI, this opened up an issue around access.
Users of Jenkins X would like to restrict who can start/stop pipelines from the UI.</p>
<p>As we add more features to the UI involving repositories, this would also require ability to restrict access using RBAC (Role Based Access Control).
In addition, an audit trail would also help the users keep track of activities in the UI.</p>
<h5 id="expected-outcomes-2">Expected Outcomes</h5>
<ul>
<li>Fully functional Jenkins X Dashboard running in the kubernetes cluster</li>
<li>Drop in replacement for existing read only UI</li>
<li>Ability to restrict access in the UI</li>
<li>Audit trail of who took what action in the UI</li>
<li>Updated documentation</li>
</ul>
<h5 id="recommended-skills-2">Recommended skills</h5>
<p>golang, basic understanding of sveltejs and sveltekit (or any modern js framework like react, vue. angular or solid) and kubernetes</p>
<h5 id="mentors-2">Mentors</h5>
<ul>
<li><a href="https://github.com/ankitm123">Ankit D Mohapatra</a></li>
<li><a href="https://github.com/rajatgupta24">Rajat Gupta</a></li>
</ul>
<h5 id="resources-2">Resources</h5>
<ul>
<li><a href="https://youtu.be/AdNJ3fydeao">https://youtu.be/AdNJ3fydeao</a></li>
<li><a href="https://svelte.dev/">https://svelte.dev/</a></li>
<li><a href="https://kit.svelte.dev/">https://kit.svelte.dev/</a></li>
<li><a href="https://tailwindcss.com/">https://tailwindcss.com/</a></li>
<li><a href="https://go.dev/tour/welcome/1">https://go.dev/tour/welcome/1</a></li>
<li><a href="https://casbin.org/">https://casbin.org/</a></li>
</ul>
<h5 id="expected-size-of-project-2">Expected Size of project</h5>
<p>350 hours</p>
<h5 id="difficulty-rating-2">Difficulty rating</h5>
<p>Medium</p>
<h3 id="4-simplifying-jenkins-x-pipeline-syntax">4. Simplifying Jenkins X pipeline syntax</h3>
<h5 id="description-3">Description</h5>
<p>Jenkins X uses the raw tekton pipeline syntax for pipelines.
The issue with this syntax is that it&rsquo;s too verbose.
The verbosity makes sense for low level pipeline building libraries like tektoncd, but for an user facing tool like Jenkins X, it makes the
pipeline files too big for no apparent reason.
We want to investigate a new syntax which will set the boilerplate so that the syntax is recognized by tekon, but is still user friendly like gitlab/github CI.</p>
<h5 id="expected-outcomes-3">Expected outcomes</h5>
<ul>
<li>Simpler and easier to understand pipeline syntax (for developers)</li>
<li>More verbose pipeline syntax for power users (if there is a need)</li>
<li>Updated documentation</li>
</ul>
<h5 id="recommended-skills-3">Recommended skills</h5>
<p>Golang, kubernetes, tekton, cue</p>
<h5 id="resources-3">Resources</h5>
<ul>
<li><a href="https://github.com/cue-lang/cue">https://github.com/cue-lang/cue</a></li>
</ul>
<h5 id="mentors-3">Mentors</h5>
<ul>
<li><a href="https://github.com/ankitm123">Ankit D Mohapatra</a></li>
<li><a href="https://github.com/rajatgupta24">Rajat Gupta</a></li>
</ul>
<h5 id="expected-size-of-project-3">Expected Size of project</h5>
<p>350 hours</p>
<h5 id="difficulty-rating-3">Difficulty rating</h5>
<p>Medium</p>
<h3 id="5-multi-tenancy-in-jenkins-x">5. Multi-tenancy in Jenkins X</h3>
<h5 id="description-4">Description</h5>
<p>Installing multiple versions of Jenkins X in a single kubernetes cluster is not supported. There are both architectural and scalability issues around it. This would be beneficial for small teams within organizations who want to own their entire CI/CD platform instead of relying on a central release management team which can lead to more productive teams.</p>
<h5 id="expected-outcomes-4">Expected outcomes</h5>
<ul>
<li>A multi-tenant enabled Jenkins X install (jenkins X in different namespaces or a central jx install controlling pipelines running for different tenants)</li>
<li>Better scaling and security model for Jenkins X</li>
<li>Updated documentation</li>
</ul>
<h5 id="recommended-skills-4">Recommended skills</h5>
<p>Golang, kubernetes, event driven architecture</p>
<h5 id="resources-4">Resources</h5>
<ul>
<li><a href="https://github.com/jenkins-x/enhancements/pull/46">https://github.com/jenkins-x/enhancements/pull/46</a></li>
</ul>
<h5 id="mentors-4">Mentors</h5>
<ul>
<li><a href="https://github.com/ankitm123">Ankit D Mohapatra</a></li>
<li><a href="https://github.com/rajatgupta24">Rajat Gupta</a></li>
</ul>
<h5 id="expected-size-of-project-4">Expected Size of project</h5>
<p>350 hours</p>
<h5 id="difficulty-rating-4">Difficulty rating</h5>
<p>Hard</p>
<h3 id="next-steps">Next Steps</h3>
<p>If Jenkins X gets selected, we will create a followup blog with additional details.</p>
</description>
</item>
<item>
<title>Blog: GSoC 2022 Final Report: Building Jenkins X UI</title>
<link>https://jenkins-x.io/blog/2022/11/13/gsoc-2022-work-report/</link>
<pubDate>Sun, 13 Nov 2022 00:00:00 +0000</pubDate>
<guid>https://jenkins-x.io/blog/2022/11/13/gsoc-2022-work-report/</guid>
<description>
<h2 id="jenkins-x-new-ui">Jenkins X New UI</h2>
<p>It is a web application built with <a href="https://go.dev/">Golang</a> for the backend and <a href="https://kit.svelte.dev/">Sveltekit</a> for the frontend, both of which are built together and used in the same container.
To function properly, it must be installed as a helm chart with Jenkins X CRDs.</p>
<p>🌟 It has light and dark themes.</p>
<p><img src="https://jenkins-x.io/images/gsoc-work-report-22/homepage.png" alt="homepage.png"></p>
<p><img src="https://jenkins-x.io/images/gsoc-work-report-22/pipelinesPage.png" alt="pipelinesPage.png"></p>
<h2 id="why-need-a-new-ui">Why need a new UI?</h2>
<p>A good UI is essential for a CI/CD tool, as not everyone is familiar with the CLI.
The current UI (jx-pipeline-visualizer) is a read-only UI, the user can view the logs of PipelineActivity but neither can start nor stop the pipeline.</p>
<p>Features that the UI will provide:</p>