Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding CycloneDX to generate a Software Bill Of Materials #7915

Closed
wants to merge 1 commit into from
Closed

Adding CycloneDX to generate a Software Bill Of Materials #7915

wants to merge 1 commit into from

Conversation

aaime
Copy link
Member

@aaime aaime commented Sep 27, 2024
edited
Loading

Experimenting with the CycloneDX plugin to generate a Software Bill Of Materials in said format.
Apparently this is becoming a common request to validate software contents.

Here is an example output tested on GeoServer 2.24.3 with a given set of plugins enabled via profiles, so that you can get an idea:
CycloneDX-Sbom.json

The command to generate it was:

> cd web/app
> mvn clean install -nsu -fae -PsldService,printing,monitor,control-flow,wps,kmlppio,wps-download,excel,querylayer,gdal,authkey,css,ysld,importer,wmts-multi-dimensional,backup-restore,oauth2-geonode,oauth2-openid-connect,geofence-server,geofence-wps

and then grab the results in web/app/target.

This would help supporting the EU Cyber Resilence Act, which among the other things, requires a SBOM structure (I've been told this is already active in Germany). See also this article by OWASP.

I've also noticed software, like PMD, that is adding these SBOM files as part of their release process:
https://github.com/pmd/pmd/releases/tag/pmd_releases%2F7.6.0

Checklist

For core and extension modules:

  • New unit tests have been added covering the changes.
  • Documentation has been updated (if change is visible to end users).
  • The REST API docs have been updated (when changing configuration objects or the REST controllers).
  • There is an issue in the GeoServer Jira (except for changes that do not affect administrators or end users in any way).
  • Commit message(s) must be in the form [GEOS-XYZWV] Title of the Jira ticket.
  • Bug fixes and small new features are presented as a single commit.
  • Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).

@mprins
Copy link
Member

mprins commented Sep 27, 2024

I usually do: mvn clean package org.cyclonedx:cyclonedx-maven-plugin:2.8.2:makeBom -DprojectType=application -U -f src/pom.xml -pl :gs-web-app main difference to your config is that I've chosen to use "application" for the geoserver war.

our use-case involves submitting the sbom to Dependency-Track to monitor dependencies.

Alternatively GH provides SBOM download/export for GeoServer at https://github.com/geoserver/geoserver/network/dependencies though that also includes lots of irrelevant things like python and maven deps for building

jodygarnett
jodygarnett reviewed Oct 1, 2024
View reviewed changes
src/web/app/pom.xml
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.8.2</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usual feedback of pushing version up to root pom.xml

@jodygarnett
Copy link
Member

I really like this activity @aaime and @mprins - thank you both for sharing.

@aaime
Copy link
Member Author

aaime commented Oct 1, 2024

@jodygarnett all I needed was a "one off" sbom generation, but thought to open the PR to gather feedback. I have no block of time allocated to push this further, but happy to keep discussing.

In my mind the main question remaining is how to deliver this, should we decide to include it in releases (as said, at the moment, I only needed a one-off SBOM for a GeoServer with a particular set of plugins).
Should one have a sbom for GeoServer, as a release artifact, and one in each extension zip? Or maybe a zip with all the sboms for the main war and for the various extensions, to be then processed by online tools like https://cyclonedx.github.io/cyclonedx-web-tool/ (see the "merge" option).

The idea to use the GeoServer own REST API (if I understood correctly) sounds weird, although I guess it may be convenient to go and ask a given GeoServer installation for its own SBOM... but we'd have to compute the SBOMS during every build, and add them into the classpath as resources, to pull that off. The calculation seemed to take a while, this PR is just a draft, for something "real" I would have it as part of the release procedure only.

@jodygarnett
Copy link
Member

Now that I understand what this is, I think it would be easiest to:

  • include this in the build process packaging step
  • include the file in the zip download (not sure if their is a folder convention to follow?)

Anyone wishing to do an audit can process the bill of materials for core geoserver, and any extensions they choose to install also.

@mprins
Copy link
Member

mprins commented Oct 1, 2024

if/when Maven is used to publish/push artifacts the sbom is attached to the artifact including signature files for integrity eg.

<dependency>
  <groupId>org.tailormap</groupId>
  <artifactId>tailormap-api</artifactId>
  <version>11.4.0</version>
  <classifier>cyclonedx</classifier>
  <type>json</type>
</dependency>

see: https://repo.b3p.nl/nexus/#browse/browse:public:org%2Ftailormap%2Ftailormap-api%2F11.4.0%2Ftailormap-api-11.4.0-cyclonedx.json

@aaime aaime closed this Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jodygarnett jodygarnett jodygarnett left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aaime @mprins @jodygarnett