Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capture CycloneDX JAR SHAs in SBoM #3538

Merged
merged 18 commits into from
Dec 11, 2023
Merged

Capture CycloneDX JAR SHAs in SBoM #3538

merged 18 commits into from
Dec 11, 2023

Conversation

sxa
Copy link
Member

@sxa sxa commented Nov 16, 2023
edited
Loading

Note to reviewers: please allow me to merge this when approved.

This is a test of including the CycloneDX jars (downloaded during the build process) into the SBoM.
There are several JAR files associated with the CycloneDX tool and this only covers one of them so is a "discussion starter" (hence raising this as a draft) as to how we should move forward if we want to capture this information in the SBoM. Is this the right place for it to be stored? Do we definitely need it? Would we exclude it if we downloaded this onto the machines via the playbooks? If we capture all of the JAR SHAs then what should the format be?

      {
        "name" : "FreeMarker",
        "version" : "N.A"
      },
      {
        "name" : "CycloneDX core java JAR SHA",
        "version" : "88193228f85a955127dc73e1c72efc9e08e18a01d227df47d0865dc20eceffd1"
      },
      {
        "name" : "Docker image SHA1",
        "version" : "adoptopenjdk/centos7_build_image@sha256:0dcc7d6c846a7ca4fa7814e0721c05e14a5a88f4bf67c43202586610
      }

Cc @andrew-m-leonard @netomi - this is part of satisfying #3535

References to the new Formula stuff in CycloneDX 1.5 used in this PR:

@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Nov 16, 2023
@sxa sxa changed the title SBOM cyclonedx shas Capture CycloneDX JAR SHAs in SBoM Nov 16, 2023
@andrew-m-leonard
Copy link
Contributor

@sxa One thought would be do we need the other dependencies as well that cyclonedx pulls in jackson...
Then one method maybe to add an extrat ant target to the build.xml to dump the checksum's that are already in that file?

temurin-build/cyclonedx-lib/build.xml

Line 46 in c7f1ad1

checksum="88193228f85a955127dc73e1c72efc9e08e18a01d227df47d0865dc20eceffd1"

@sxa
Copy link
Member Author

sxa commented Nov 21, 2023

@sxa One thought would be do we need the other dependencies as well that cyclonedx pulls in jackson... Then one method maybe to add an extrat ant target to the build.xml to dump the checksum's that are already in that file?

Yeah I reckon I'd be ok with that as another potential option for retrieving the details.

Any thoughts on the format of the entries in the SBoM file?

@andrew-m-leonard
Copy link
Contributor

andrew-m-leonard commented Nov 22, 2023
edited
Loading

Any thoughts on the format of the entries in the SBoM file?

I asked on the CycloneDX slack, I think this is where we should have these:
https://cyclonedx.org/docs/1.5/json/#formulation_items_components

@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Nov 30, 2023
@sxa
Copy link
Member Author

sxa commented Nov 30, 2023

I asked on the CycloneDX slack, I think this is where we should have these: https://cyclonedx.org/docs/1.5/json/#formulation_items_components

Looks like the formulation classes aren't available in our cyclonedx-core-java.jar, so I'm not sure how to do this.

@sxa
Try to fix CycloneDX Formula class
824a411 
Signed-off-by: Stewart X Addison <[email protected]>
@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Nov 30, 2023
@stevespringett
Copy link

@sxa Formulation support was added to v1.5 of the CycloneDX specification, which is supported in cyclonedx-core-java v8.0 and higher. If your version of the jar does not support formulation, its likely an older version. The recommendation would be to update the jar to the current release.

See: https://github.com/CycloneDX/cyclonedx-core-java/tree/master/src/main/java/org/cyclonedx/model/formulation

@sxa
Copy link
Member Author

sxa commented Dec 1, 2023
edited
Loading

@sxa Formulation support was added to v1.5 of the CycloneDX specification, which is supported in cyclonedx-core-java v8.0 and higher.

Yeah looks like we're on 1.4 just now so will need to upgrade if we're going to use that field for this. I guess https://cyclonedx.github.io/cyclonedx-core-java/org/cyclonedx/model/formulation/Formula.html is the class I'll need for the Formulation section?

@sxa
Copy link
Member Author

sxa commented Dec 1, 2023
edited
Loading

Current plan of action after discussion with @andrew-m-leonard:

Step 1: Update the version of CycloneDX to 8.0.3:

Note: Plan would be to merge phase 1 next week - ideally Monday morning - as doing something like this on a Friday afternoon is asking for trouble :-)

The above are covered under #3558

Step 2: Add the support to generate a Formulation section in our SBoM):

(Note that this step can be done indepedent of step 1, but step 1 will need to be completed before we can merge step 2 as it will have a dependency on the new jars)

  • Make sure we can run an ant build against build.xml against the updated CycloneDX. Can be tested locally by updating the URL in build.xml to pull directly from maven instead of our jenkins job. Verify whether other updates to the other jars will be required too based on whether it builds correctly
  • Add support into TemurinGenSBOM.java for creating formulations (This PR)
  • Add support into build.sh for calling TemurinGenSBOM with the formulation options (Also this PR)
  • Add tests for the new formulations options into build.xml (Probably this PR again ...)
  • Get approval that the place this is going to be stored is valid and that we cover everything needed. I'm currently envisioning Using formulations -> Component (CycloneDX jars) -> Properties with a name/value pair for each jar+sha256sum. If anyone has a better idea, let me know :-)

Noting also that CycloneDX (unsurprisingly!) provides GPG signatures and we should look to validate those instead of relying on fixed SHA checksums in order to make the process of upgrading easier (and because it's a better way of verifying)

@sxa sxa mentioned this pull request Dec 1, 2023
Merged
@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Dec 1, 2023
@sxa sxa force-pushed the sbom_cyclonedx_shas branch from d77d8f7 to 28712a8 Compare December 1, 2023 18:13
@github-actions github-actions bot removed the macos Issues that affect or relate to the MAC OS label Dec 1, 2023
@sxa
Copy link
Member Author

sxa commented Dec 6, 2023
edited
Loading

Note to reviewers: please allow me to merge this when approved.

Unless reviews explicitly object I'd like to merge this and then sort out the naming of the formulation entry (BomRef) in a subsequent PR to avoid accessing entry (0) in the lists.

@netomi
Copy link
Contributor

netomi commented Dec 7, 2023

cant access the pipeline test build.

@sxa
Copy link
Member Author

sxa commented Dec 7, 2023
edited
Loading

cant access the pipeline test build.

The github check for JDK8u has equivalent output and prints out the SBoM at the end: https://github.com/adoptium/temurin-build/actions/runs/7117734755/job/19379150291?pr=3538

For reference, the subjobs kicked off by that pipeline should be visible here - look for ===METADATA OUTPUT=== in the log:

@andrew-m-leonard Do we need the non-release pipelines to be restricted access now that we've split out the release ones?

@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Dec 7, 2023
@sxa
Copy link
Member Author

sxa commented Dec 7, 2023
edited
Loading

Unless reviews explicitly object I'd like to merge this and then sort out the naming of the formulation entry (BomRef) in a subsequent PR to avoid accessing entry (0) in the lists.

Latest push has resolved this and is using a BomRef of CycloneDX to identify the correct entry in the list

 "formulation" : [
    {
      "components" : [
        {
          "name" : "CycloneDX jar SHAs",
          "properties" : [
            {
              "name" : "commons-codec.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "commons-io.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "cyclonedx-core-java.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "github-package-url.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "jackson-annotations.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "jackson-core.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "jackson-databind.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "jackson-dataformat-xml.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "json-schema.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            },
            {
              "name" : "temurin-gen-sbom.jar",
              "value" : "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5"
            }
          ],
          "type" : "framework"
        }
      ],
      "bom-ref" : "CycloneDX"
    }
  ]

A couple of quesions (Maybe for @stevespringett ?)

  • Is a type of framework suitable for the list here, or would application be better?
  • Is using bom-ref like this as an identifier for the Component list entry a valid thing to do, and is CyloneDX a good identifier for this purpose (Storing the CycloneDX jar details) Maybe CycloneDX formula to help ensure uniqueness?

Re-running full pipeline test at https://ci.adoptium.net/job/build-scripts/job/openjdk21-pipeline/230/console which has spawned:

The next three pushes were linter/comment fixes and do not impact functionality or invalidate those jobs.

@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Dec 7, 2023
@sxa sxa force-pushed the sbom_cyclonedx_shas branch from a0bb853 to 09b8235 Compare December 7, 2023 12:57
@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Dec 7, 2023
@sxa
Placate linter again
cf7f8ba 
Signed-off-by: Stewart X Addison <[email protected]>
@sxa sxa force-pushed the sbom_cyclonedx_shas branch from 09b8235 to cf7f8ba Compare December 7, 2023 13:00
@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites and removed macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites labels Dec 7, 2023
andrew-m-leonard
andrew-m-leonard approved these changes Dec 7, 2023
View reviewed changes
Copy link
Contributor

@andrew-m-leonard andrew-m-leonard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@sxa
Copy link
Member Author

sxa commented Dec 8, 2023
edited
Loading

build runs are failing with an error compiling the TKG code:

     [javac] Compiling 27 source files to /__w/temurin-build/temurin-build/aqa-tests/TKG/bin
    [javac] /__w/temurin-build/temurin-build/aqa-tests/TKG/src/org/testKitGen/TestDivider.java:28: error: package org.json.simple does not exist
    [javac] import org.json.simple.JSONArray;

Should be unrelated to this PR

@sxa sxa merged commit 380140f into adoptium:master Dec 11, 2023
8 of 25 checks passed
@sxa sxa mentioned this pull request Dec 11, 2023
Closed
@karianna karianna mentioned this pull request Jan 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@netomi netomi netomi left review comments

@andrew-m-leonard andrew-m-leonard andrew-m-leonard approved these changes

@karianna karianna karianna approved these changes

Assignees

@sxa sxa

Labels
macos Issues that affect or relate to the MAC OS testing Issues that enhance or fix our test suites
Projects
No open projects
Adoptium 4Q 2023 Plan
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sxa @andrew-m-leonard @stevespringett @netomi @karianna