feat: add missing build-time SBOMs #895
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 tasks
siegfriedweber
requested review from
siegfriedweber
and removed request for
a team
siegfriedweber
requested changes
Oct 15, 2024
|
@siegfriedweber Thanks for the review so far, that was very helpful. I should have checked things more thoroughly, sorry, will do better next time. |
|
Sorry for the conflicts I caused. |
Co-authored-by: Siegfried Weber <[email protected]>
Co-authored-by: Siegfried Weber <[email protected]>
Co-authored-by: Siegfried Weber <[email protected]>
dervoeti
force-pushed
the
feat/add-missing-sboms
branch
from
2fb698c to
b4c5d1c
Compare
dervoeti
force-pushed
the
feat/add-missing-sboms
branch
from
b4c5d1c to
c459c49
Compare
|
@lfrancke @siegfriedweber I rebased my changes on top of the current main branch now |
Techassi
pushed a commit
that referenced
this pull request
Oct 21, 2024
* feat: generate SBOMs at build time for OPA, statsd_exporter and kafka * fix: remove circular dependencies in Airflow SBOM * fix: kafka: ignore test components in SBOM * fix: kafka: missing patchfile for kafka 3.8.0 * fix: no need to cleanup builder image Co-authored-by: Siegfried Weber <[email protected]> * fix: add comment about cyclonedx-gomod to statsd_exporter as well Co-authored-by: Siegfried Weber <[email protected]> * fix: undo merge errors * fix: casing to make linter happy * fix: indenting and alphabetical sorting of packages Co-authored-by: Siegfried Weber <[email protected]> * fix: re-added line to remove sourcecode after build of statsd_exporter * fix: merge RUN layers in statsd_exporter * fix: place SBOM files closer to the application they are for * fix: update gradle cyclonedx plugin to version 1.10.0 * fix: remove unnecessary curl flags, because we have a curlrc file * fix: fixed variable substitution * feat: pinned versions of python packages * fix: fixes to adapt upstream changes * fix: use GOPATH for invoking cyclonedx-gomod * feat: add comment on how to obtain skipped projects in Kafka build --------- Co-authored-by: Siegfried Weber <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fix needed for stackabletech/issues#614
Changes:
RUNcommands to Heredocapache-airflow-providers-smtpdepends onapache-airflowandapache-airflowdepends onapache-airflow-providers-smtp. This causes the rendering of the dependency tree in SecObserve to fail.cyclonedx-gomod(and I think Go in general) determines the version at build time. I did not find another way, I checked the source code ofcyclonedx-gomod, that seems to be the only valid way. Since we don't include the.gitfolder in our .tar.gz archives in Nexus, a dummy Git repo has to be created.