feat: generate SBOM file for releases #1367
Conversation
There was a problem hiding this comment.
Reviewable status: 0 of 3 files reviewed, 2 unresolved discussions
build.gradle, line 38 at r1 (raw file):
// includeConfigs += ["runtimeClasspath"] // skipConfigs is a list of configuration names to exclude when generating the BOM // skipConfigs += ["compileClasspath", "testCompileClasspath"]
I do not know which configs would be sensible to skip or if only a specific set should be included in the first place.
The currently commented-out values are from the plugin's readme https://github.com/CycloneDX/cyclonedx-gradle-plugin
.circleci/config.yml, line 62 at r1 (raw file):
- run: cp ~/inspectit/repo/components/inspectit-ocelot-eum-server/build/libs/inspectit-ocelot-eum-server-${CIRCLE_TAG}.jar ~/inspectit/artifacts - run: cp ~/inspectit/repo/build/reports/bom.json ~/inspectit/artifacts - run: cp ~/inspectit/repo/build/reports/bom.xml ~/inspectit/artifacts
I could not yet test whether these additions work as expected.
Codecov Report
@@ Coverage Diff @@
## master #1367 +/- ##
============================================
- Coverage 81.16% 81.04% -0.12%
+ Complexity 2072 2071 -1
============================================
Files 210 211 +1
Lines 6591 6593 +2
Branches 784 782 -2
============================================
- Hits 5349 5343 -6
- Misses 943 951 +8
Partials 299 299
|
aaronweissler
changed the title
aaronweissler
changed the title
mariusoe
changed the title
aaronweissler
force-pushed
the
feat/sbom
branch
from
1f948a3
to
bf2a3d9
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 6 files reviewed, all discussions resolved (waiting on @mariusoe)
inspectit-ocelot-core/build.gradle, line 156 at r2 (raw file):
cyclonedxBom { // includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration) includeConfigs += ["runtimeClasspath"]
As discussed, only dependencies in the runtimeClasspath are taken into account.
There was a problem hiding this comment.
Reviewed 1 of 3 files at r1, 2 of 3 files at r2, 3 of 3 files at r3, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @aaronweissler)
.circleci/config.yml, line 61 at r3 (raw file):
- run: cp ~/inspectit/repo/components/inspectit-ocelot-configurationserver/build/libs/inspectit-ocelot-configurationserver-${CIRCLE_TAG}.jar ~/inspectit/artifacts - run: cp ~/inspectit/repo/components/inspectit-ocelot-eum-server/build/libs/inspectit-ocelot-eum-server-${CIRCLE_TAG}.jar ~/inspectit/artifacts - run: cp ~/inspectit/repo/inspectit-ocelot-core/build/reports/bom.json ~/inspectit/artifacts/inspectit-ocelot-agent-bom.json
Maybe we should bundle all of these bom files within a single zip-archive file. Doing this, we don't overload the release artifacts with all of thoses bom files.
What do you think?
components/inspectit-ocelot-configurationserver/build.gradle, line 84 at r3 (raw file):
cyclonedxBom { // includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration)
Imo we don't need this comment. Please remove it in each file.
There was a problem hiding this comment.
Reviewable status: 2 of 6 files reviewed, 2 unresolved discussions (waiting on @mariusoe)
.circleci/config.yml, line 61 at r3 (raw file):
Previously, mariusoe (Marius Oehler) wrote…
Maybe we should bundle all of these bom files within a single zip-archive file. Doing this, we don't overload the release artifacts with all of thoses bom files.
What do you think?
I like the idea, is added now :)
components/inspectit-ocelot-configurationserver/build.gradle, line 84 at r3 (raw file):
Previously, mariusoe (Marius Oehler) wrote…
Imo we don't need this comment. Please remove it in each file.
Done.
There was a problem hiding this comment.
Reviewed 4 of 4 files at r4, 1 of 1 files at r5, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @aaronweissler)
This change is