-
Story
-
Resolution: Unresolved
-
Medium
-
None
-
None
****See highlighted instructions****
What is it?
Software Package Data Exchange (SPDX) is an open standard for communicating
software bill of materials (SBOM) information that supports accurate identification of software
components, explicit mapping of relationships between components, and the association of
security and licensing information with each component.
In global-jjb "lf-infra-maven-sbom-generator" is an optional builder step for the "gerrit-maven-stage" job.
How to use it?
To enable SPDX SBOM Generator, set "sbom-generator" to true for your gerrit-maven-stage jobs.
This feature is disabled by default for all projects
Optional variables:
- "sbom-flags" to pass any optional flags to the executor according to:
https://github.com/opensbom-generator/spdx-sbom-generator
- "sbom-generator-version" to use a specific SPDX SBOM Generator version
(default is "v0.0.10")
Code example:
- gerrit-maven-stage:
sbom-generator: true
sbom-flags: "-p test/path/example"
sbom-generator-version: v0.0.13
What does it do?
When "sbom-generator" is true, "gerrit-maven-stage" will run SPDX SBOM Generator tool to generate a software bill of materials
with current package managers.
This report will be part of the "autorelease" package for a staged release candidate. For example:
https://nexus.onap.org/content/repositories/autorelease-318953/
Where can I learn more about it?
More about SPDX SBOM Generator: https://github.com/opensbom-generator/spdx-sbom-generator
More about maven-stage: https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-maven-stage
Maven-stage code: https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml#L817
If you have any questions or need assistance, please contact https://support.linuxfoundation.org/