Skip to content

Commit ad3d2dc

Browse files
dongjoon-hyundongjoon-hyun
committed
[SPARK-53669] Publish SBOM artifacts
### What changes were proposed in this pull request? Since Apache Spark 3.4.0, Apache Spark main repository has been providing `SBOM` artifact. Like the main repository, this PR aims to publish `SBOM` artifacts of `Apache Spark K8s Operator` artifacts. - apache/spark#39401 - https://repo1.maven.org/maven2/org/apache/spark/spark-core_2.13/4.0.1/spark-core_2.13-4.0.1-cyclonedx.xml ### Why are the changes needed? Here is an article to give some context. - https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/ Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/). ### Does this PR introduce _any_ user-facing change? No behavior change. ### How was this patch tested? Manually run the following command and check the local Maven directory. **COMMAND** ``` $ gradle publishApachePublicationToMavenLocal -Prelease ``` **BEFORE** ``` $ ls -al ~/.m2/repository/org/apache/spark/spark-operator-api/0.5.0-SNAPSHOT total 976 drwxr-xr-x 15 dongjoon staff 480 Sep 22 16:26 . drwxr-xr-x 4 dongjoon staff 128 Sep 22 16:26 .. -rw-r--r-- 1 dongjoon staff 2632 Sep 22 16:26 maven-metadata-local.xml -rw-r--r-- 1 dongjoon staff 233151 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar.asc -rw-r--r-- 1 dongjoon staff 52522 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-sources.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-sources.jar.asc -rw-r--r-- 1 dongjoon staff 17387 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-tests.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-tests.jar.asc -rw-r--r-- 1 dongjoon staff 154249 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.jar.asc -rw-r--r-- 1 dongjoon staff 2683 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.module -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.module.asc -rw-r--r-- 1 dongjoon staff 2289 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.pom -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.pom.asc ``` **AFTER** ``` $ ls -al ~/.m2/repository/org/apache/spark/spark-operator-api/0.5.0-SNAPSHOT total 5880 drwxr-xr-x 17 dongjoon staff 544 Sep 22 16:27 . drwxr-xr-x 4 dongjoon staff 128 Sep 22 16:27 .. -rw-r--r-- 1 dongjoon staff 3050 Sep 22 16:27 maven-metadata-local.xml -rw-r--r-- 1 dongjoon staff 2505028 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-cyclonedx.xml -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-cyclonedx.xml.asc -rw-r--r-- 1 dongjoon staff 233151 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar.asc -rw-r--r-- 1 dongjoon staff 52522 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-sources.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-sources.jar.asc -rw-r--r-- 1 dongjoon staff 17387 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-tests.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-tests.jar.asc -rw-r--r-- 1 dongjoon staff 154249 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.jar.asc -rw-r--r-- 1 dongjoon staff 2683 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.module -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.module.asc -rw-r--r-- 1 dongjoon staff 2289 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.pom -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.pom.asc ``` ### Was this patch authored or co-authored using generative AI tooling? No. Closes #332 from dongjoon-hyun/SPARK-53669. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
1 parent bb46c2f commit ad3d2dc

File tree

3 files changed

+9
-0
lines changed

3 files changed

+9
-0
lines changed

build.gradle

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ buildscript {
2626
classpath "${libs.spotbugs.gradle.plugin.get()}"
2727
classpath "${libs.spotless.plugin.gradle.get()}"
2828
classpath "${libs.shadow.get()}"
29+
classpath "${libs.cyclonedx.bom.get()}"
2930
}
3031
}
3132

deploy.gradle

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ if (project.hasProperty('release') && JavaVersion.current().getMajorVersion().to
2222
}
2323

2424
subprojects {
25+
apply plugin: 'org.cyclonedx.bom'
2526
apply plugin: 'maven-publish'
2627
apply plugin: 'signing'
2728
afterEvaluate {
@@ -68,6 +69,11 @@ subprojects {
6869
artifact sourceJar
6970
artifact javadocJar
7071
artifact testJar
72+
artifact("$buildDir/reports/bom.xml") {
73+
classifier 'cyclonedx'
74+
extension 'xml'
75+
builtBy tasks.named('cyclonedxBom')
76+
}
7177

7278
versionMapping {
7379
allVariants {

gradle/libs.versions.toml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ spotbugs-plugin = "6.4.2"
3636
spotless-plugin = "6.25.0"
3737

3838
# Packaging
39+
cyclonedx = "2.4.1"
3940
shadow-jar-plugin = "8.3.6"
4041

4142
[libraries]
@@ -65,3 +66,4 @@ junit-platform-launcher = { group = "org.junit.platform", name = "junit-platform
6566
spotbugs-gradle-plugin = { group = "com.github.spotbugs.snom", name = "spotbugs-gradle-plugin", version.ref = "spotbugs-plugin" }
6667
spotless-plugin-gradle = { group = "com.diffplug.spotless", name = "spotless-plugin-gradle", version.ref = "spotless-plugin" }
6768
shadow = { group = "com.gradleup.shadow", name = "shadow-gradle-plugin", version.ref = "shadow-jar-plugin"}
69+
cyclonedx-bom = { group = "org.cyclonedx.bom", name = "org.cyclonedx.bom.gradle.plugin", version.ref = "cyclonedx" }

0 commit comments

Comments
 (0)