Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add property cdx:reproducible #70

Merged
merged 1 commit into from
Aug 20, 2023
Merged

add property cdx:reproducible #70

merged 1 commit into from
Aug 20, 2023

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Aug 13, 2023
edited
Loading

Purpose: flag a SBOM document or parts of it as reproducible.
reproducible SBOMs usually omit time-and random-based information, and might render elements in a reproducible order.

some implementations that can generate “reproducible” BOMs, by omitting time- and random-based values, ordering elements, and so on already exist.

caused by #69 (comment)

@jkowalleck jkowalleck added the enhancement New feature or request label Aug 13, 2023
@jkowalleck jkowalleck requested a review from a team as a code owner August 13, 2023 07:50
@jkowalleck jkowalleck mentioned this pull request Aug 13, 2023
Closed
@jkowalleck jkowalleck changed the title property cdx:reproducible add property cdx:reproducible Aug 13, 2023
hboutemy
hboutemy reviewed Aug 13, 2023
View reviewed changes
cdx.md Outdated Show resolved Hide resolved
hboutemy added a commit to hboutemy/cyclonedx-property-taxonomy that referenced this pull request Aug 13, 2023
@hboutemy
drop Maven-specific reproducible, use CycloneDX#70
f8a1197 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
@jkowalleck
cdx:reproducible
da29800 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Copy link
Member Author

@stevespringett could I get your opinion on this proposed property?

@jkowalleck jkowalleck merged commit f54283a into main Aug 20, 2023
2 checks passed
@jkowalleck jkowalleck deleted the cdx-reproducible branch August 20, 2023 06:47
This was referenced Aug 20, 2023
Open
Open
Open
hboutemy added a commit to hboutemy/cyclonedx-property-taxonomy that referenced this pull request Aug 22, 2023
@hboutemy
drop Maven-specific reproducible, use CycloneDX#70
689638e 
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
@lfrancke lfrancke mentioned this pull request Aug 27, 2023
Closed
mathstuf
mathstuf reviewed Aug 28, 2023
View reviewed changes
cdx.md

| Property | Description |
| -------- | ----------- |
| `cdx:reproducible` | Whether the CycloneDX document has been generated in a reproducible manner: if so, then time- or random-based values MUST be omitted, and elements order SHOULD be reproducible. _Boolean value_. May appear once. |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about using SOURCE_DATE_EPOCH for time information?

Copy link
Member Author

@jkowalleck jkowalleck Aug 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about it?
all build-time information that is related to time is optional in CycloneDX, so just omit it.

If you going to fake/pretend timestamps, then why bother making the document as "reproducible"?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea of it is to say "the date is when the source artifact was made/published/whatever". I suppose just omitting it here is fine, but not having to scrounge for some date information elsewhere would be useful I expect…

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you open a new issue for the topic, so we could discuss further?
please describe why you need the timestamp, for what you use it, and what you want to artificially base it of, and what role the "reproducible" flag plays in all that.

@mathstuf mathstuf mentioned this pull request Aug 30, 2023
Closed
hboutemy added a commit to CycloneDX/cyclonedx-maven-plugin that referenced this pull request Sep 3, 2023
@hboutemy
replace maven.reproducible property with cdx:reproducible
52a4651 
property introduced in CycloneDX/cyclonedx-property-taxonomy#70

Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
@hboutemy hboutemy mentioned this pull request Sep 3, 2023
Merged
hboutemy added a commit to CycloneDX/cyclonedx-maven-plugin that referenced this pull request Sep 12, 2023
@hboutemy
replace maven.reproducible property with cdx:reproducible
71c467e 
property introduced in CycloneDX/cyclonedx-property-taxonomy#70

Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mathstuf mathstuf mathstuf left review comments

@hboutemy hboutemy hboutemy approved these changes

@stevespringett stevespringett Awaiting requested review from stevespringett

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkowalleck @mathstuf @hboutemy