Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EPIC: Extend SBOM "formulation" to allow correct recipe for re-making... #3747

Open
5 tasks
andrew-m-leonard opened this issue Apr 4, 2024 · 0 comments
Open
5 tasks

EPIC: Extend SBOM "formulation" to allow correct recipe for re-making... #3747

andrew-m-leonard opened this issue Apr 4, 2024 · 0 comments
Labels
compatibility Issues that relate to how our code works with other third party code bases enhancement Issues that enhance the code or documentation of the repo in any way epic Issues that are large and likely multi-layered features or refactors reproducible-build Sbom issue relate to work of sbom testing Issues that enhance or fix our test suites

Comments

@andrew-m-leonard
Copy link
Contributor

andrew-m-leonard commented Apr 4, 2024
edited
Loading

The intention of the CycloneDX "formulation" is to provide a "recipe" for "re-making" the exact same build.
As it currently stands the SBOM formulation section contains strace analysis listing of packages & tooling dependencies used in the original build. We need to add a new section for a "recipe" that provides the exact "configure & make" commands along with how to create a "compatible" environment to re-build an identical build.

Tasks:

  • Investigate CycloneDX formulation spec and design how the Temurin OpenJDK build tasks (eg.setup env, clone, configure, make,...) could be described to enable "reproduction" of a build
  • Design how the necessary formulation information would be obtained during a temurin build from the build scripts: build.sh, prepareWorkspace.sh, ...
  • Design spec for necessary changes to TemurinGenSBOM.java app to support adding formulation tasks. Eg.what sensible "operations" make sense to add "formulation" sections to a SBOM?
  • Update TemurinGenSBOM.java to support "formulation" generation, including unit tests in the ant make file: build.xml
  • Update temurin-build scripts to generate SBOM formulations
@andrew-m-leonard andrew-m-leonard added enhancement Issues that enhance the code or documentation of the repo in any way reproducible-build labels Apr 4, 2024
@github-actions github-actions bot added the compatibility Issues that relate to how our code works with other third party code bases label Apr 4, 2024
@andrew-m-leonard andrew-m-leonard added Sbom issue relate to work of sbom and removed compatibility Issues that relate to how our code works with other third party code bases labels Apr 4, 2024
@github-actions github-actions bot added the compatibility Issues that relate to how our code works with other third party code bases label Apr 4, 2024
@andrew-m-leonard andrew-m-leonard added the epic Issues that are large and likely multi-layered features or refactors label Sep 24, 2024
@andrew-m-leonard andrew-m-leonard changed the title Extend SBOM "formulation" to allow correct recipe for re-making... EPIC: Extend SBOM "formulation" to allow correct recipe for re-making... Sep 25, 2024
@github-actions github-actions bot added the testing Issues that enhance or fix our test suites label Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compatibility Issues that relate to how our code works with other third party code bases enhancement Issues that enhance the code or documentation of the repo in any way epic Issues that are large and likely multi-layered features or refactors reproducible-build Sbom issue relate to work of sbom testing Issues that enhance or fix our test suites
Projects
2025 2Q Adoptium Plan
Status: Todo
Adoptium Backlog
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrew-m-leonard