Provide a list of packaged files (SBOM, CycloneDX) as an output #88

plaird · 2021-02-11T17:53:52Z

In addition to the executable jar, the rule should produce a Bill of Materials that lists everything packaged in the jar.

The Maven plugin beat us to this. I like their solution, so look at what they are doing:
https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3

Two outputs:

bundle the SBOM inside the springboot executable jar
make the SBOM a Bazel output (or a separate rule), such that input into other rules, such as custom validation rules. "scan the SBOM and look for xyz and fail my build if it is found"

sprintboot(
   ...
   sbom_generate = True, # default True as of 2.4.0
   sbom_format = "cyclonedx", # only supported value as of 2.4.0
)

Implemenation:
I learned at BazelCon rules_license has apparently gotten support from rules_jvm_external to populate the sbom provider. Look into rules_license as the primary means for generating the sbom. Balance the benefits of that against taking a hard dependency on another project.

The text was updated successfully, but these errors were encountered:

plaird added the enhancement label Feb 11, 2021

plaird added the COMPAT-BREAK label Apr 18, 2021

plaird removed the COMPAT-BREAK label Apr 26, 2021

plaird changed the title ~~Provide a list of packaged files (BOM) as an output~~ Provide a list of packaged files (SBOM, CycloneDX) as an output Oct 29, 2024

plaird added the 2.4.0 label Oct 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Provide a list of packaged files (SBOM, CycloneDX) as an output #88

Provide a list of packaged files (SBOM, CycloneDX) as an output #88

plaird commented Feb 11, 2021 •

edited

Loading

Provide a list of packaged files (SBOM, CycloneDX) as an output #88

Provide a list of packaged files (SBOM, CycloneDX) as an output #88

Comments

plaird commented Feb 11, 2021 • edited Loading

plaird commented Feb 11, 2021 •

edited

Loading