Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible to include commit identifier in BOM? #427

Open
io7m opened this issue Nov 10, 2023 · 12 comments
Open

Possible to include commit identifier in BOM? #427

io7m opened this issue Nov 10, 2023 · 12 comments

Comments

@io7m
Copy link

io7m commented Nov 10, 2023

Hello!

Via the buildnumber-maven-plugin, I have access to the SCM revision that was used to produce whatever is in the current BOM. The revision is accessible via the ${buildNumber} property.

Is there some way to get this information into the produced BOM? I can't see an obvious way to include properties in the BOM, or to include that information in any other way...

@hboutemy
Copy link
Contributor

did you see in CycloneDX schema any location that would be ok to record that type of info?
somewhere in metadata https://cyclonedx.org/docs/1.5/json/#metadata?
or in formulation https://cyclonedx.org/docs/1.5/json/#formulation?

@hboutemy
Copy link
Contributor

@io7m
Copy link
Author

io7m commented Jan 15, 2024

Hello! I had intended to just stick it in metadata/properties. If there's a preferred place to put it, I'd gladly use that. I couldn't see any, though.

@hboutemy
Copy link
Contributor

yes, never seen commit info in any of examples https://github.com/CycloneDX/bom-examples
and there is no official property id in the taxonomy for such a common practice: https://github.com/CycloneDX/cyclonedx-property-taxonomy

I suppose this would deserve a discussion on CycloneDX Slack general channel

@VinodAnandan
Copy link

@io7m @hboutemy Is it possible to construct the full commit URL ? (e.g: https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/349fe7cc7fd8b7f2224075b5fe7d73e7f0832140 ), if we can construct the full commit URL, I think it is better to use vcs from the externalReferences (https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type )


    "externalReferences": [
          {
            "url": "https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/349fe7cc7fd8b7f2224075b5fe7d73e7f0832140",
            "type": "vcs"
          },

@stevespringett, @coderpatros , @jkowalleck, @prabhu,@nscuro, @tsjensen Could you please let us know your thoughts on this?

@jkowalleck
Copy link
Member

jkowalleck commented Jan 20, 2024

re #427 (comment)

https://github.com/CycloneDX/cyclonedx-maven-plugin/commit/349fe7cc7fd8b7f2224075b5fe7d73e7f0832140

The fact that github allows accessing a certain git commit is just a happy little accident, nothing you should make a general assumption from. Furthermore, a VCS may run cleanup jobs that remove unattached/orphan nodes.
And remember: github is just one VCS - do you plan on implementing things for every known VCS out there - and even self-hosted ones?

If you really must do it like this, and you knew the repository URL, then it would be possible to annotate like so:

{
  "url": "git+https://github.com/CycloneDX/cyclonedx-maven-plugin.git#a964c6e80164914e48207239cef29e722a6e87af",
  "type": "vcs"
}

when adding such URLS, be aware, that they might include authentication(username/password) like
git+https://__token__:<myaccesstoken>@acme.org/foo/bar.git
! you might want to strip usernames/passwords. here is a regex to find all these secrets: (?<=://)[^/@:]+:[^/@]+@

and it goes one step further with PackageURLs - they allow a qualifier for this purpose: vcs_url
see https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs
the VCS reference would be added - according to PURL spec (which leverages SPDX spec 3.7) - ala <vcs_tool>+<transport>://<host_name>[/<path_to_repository>][@<revision_tag_or_branch>][#<sub_path>]
example values for PURL qualifier vcs_url:

  • git+https://github.com/CycloneDX/cyclonedx-maven-plugin.git@a964c6e80164914e48207239cef29e722a6e87af

re #427 (comment)

Formulations might be used.
There is a task type "clone" which might be appropriate. But actually I am uncertain, since the documentation for the cases is still missing (@mrutkows CycloneDX/specification#245)

@jkowalleck
Copy link
Member

jkowalleck commented Jan 20, 2024

since the original request talks about a build number, and build numbers are usually added to the actual version identifiers in form of <version core> "+" <build> compare SemVer, I'd recommend doing the same here.

I'd assume the appropriate thing would be, that the "build number" is added to CycloneDX document as $.metadata.component.version like so:

{
 "metadata": { 
   "component" : {
     "name": "cyclonedx-maven-plugin"
     "version": "1.33.7+a964c6e80164914e48207239cef29e722a6e87af"
   },
   ...
 },
 ...
}

@io7m where do you want to see your build number in the CDX document?

@io7m
Copy link
Author

io7m commented Jan 21, 2024

@jkowalleck I honestly have no preference. I was just looking at this because:

  • I publish CycloneDX BOMs.
  • I have reproducible builds in all of my projects.
  • I have commit IDs accessible in all of my builds.

Therefore, I thought it would probably be a good idea if someone could look in the BOM and then work backwards from the commit ID to determine the exact original sources that produced the build. I realize the BOM also provides this information (via hashes of binaries), but I thought an extra layer of assurance would be nice to have.

@tsjensen
Copy link

I agree with @io7m's notion that the VCS hash is useful metadata. Every commit might influence the SBOM of a project. In fact, I think we even need the information of whether the Git workspace was clean, because otherwise again the SBOM might have been changed in relation to the latest commit.

In order to address this, we defined siemens:vcsRevision and siemens:vcsClean in the Siemens property taxonomy (which you are welcome to use, too).

@tsjensen
Copy link

But thinking further, I believe that eventually, what we want is a vcs section as a first-class citizen in metadata that bundles all this info. External references are not very good for this, because they do not carry the same semantic weight as a metadata/vcs section would.

But it's not like we're in a lot of pain over this at the moment, so we can discuss when the time comes. 🙂

@io7m
Copy link
Author

io7m commented Jan 27, 2024

A slightly more basic issue is that there doesn't actually seem to be a way to include extra properties of any kind in the BOM using the cyclonedx-maven-plugin. If there is a way, it doesn't appear to be in the plugin documentation.

@hboutemy
Copy link
Contributor

the plugin has focused until now on Maven dependencies = CycloneDX $.components[]

this commit identifier is about more precisely describing the project being built $.metadata.component: until recently, component being built is described exactly as a dependency component.
This changed in 2.7.11 with #428 about adding custom external references, documented in https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html

on git commit, I feel that developers are trying to replace build tool: pom.xml has the Git tag (if release process has been done right at Maven level)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants